[PATCH v3 00/12] Signed BPF programs

[PATCH v3 00/12] Signed BPF programs

[KP Singh]

# v2 -> v3

* Dropped unstable test where function can be inlined and only select few
  LSKEL tests are using signing per Alexei's request
* Some other feedback incorporated.

#v1 -> v2

* Addressed feedback on excl maps and their implementation
* fixed s390x and other tests that were failing in the CI.
* using the kernel's sha256 API since it now uses acceleration if available
* simple signing test case, this can be extended to inject a false SHA into
  the loader

BPF Signing has gone over multiple discussions in various conferences with the
kernel and BPF community and the following patch series is a culmination
of the current of discussion and signed BPF programs. Once signing is
implemented, the next focus would be to implement the right security policies
for all BPF use-cases (dynamically generated bpf programs, simple non CO-RE
programs).

Signing also paves the way for allowing unrivileged users to
load vetted BPF programs and helps in adhering to the principle of least
privlege by avoiding unnecessary elevation of privileges to CAP_BPF and
CAP_SYS_ADMIN (ofcourse, with the appropriate security policy active).

A early version of this design was proposed in [1]:

# General Idea: Trusted Hash Chain

The key idea of the design is to use a signing algorithm that allows
us to integrity-protect a number of future payloads, including their
order, by creating a chain of trust.

Consider that Alice needs to send messages M_1, M_2, ..., M_n to Bob.
We define blocks of data such that:

    B_n = M_n || H(termination_marker)

(Each block contains its corresponding message and the hash of the
*next* block in the chain.)

    B_{n-1} = M_{n-1} || H(B_n)
    B_{n-2} = M_{n-2} || H(B_{n-1})

  ...

    B_2 = M_2 || H(B_3)
    B_1 = M_1 || H(B_2)

Alice does the following (e.g., on a build system where all payloads
are available):

  * Assembles the blocks B_1, B_2, ..., B_n.
  * Calculates H(B_1) and signs it, yielding Sig(H(B_1)).

Alice sends the following to Bob:

    M_1, H(B_2), Sig(H(B_1))

Bob receives this payload and does the following:

    * Reconstructs B_1 as B_1' using the received M_1 and H(B_2)
(i.e., B_1' = M_1 || H(B_2)).
    * Recomputes H(B_1') and verifies the signature against the
received Sig(H(B_1)).
    * If the signature verifies, it establishes the integrity of M_1
and H(B_2) (and transitively, the integrity of the entire chain). Bob
now stores the verified H(B_2) until it receives the next message.
    * When Bob receives M_2 (and H(B_3) if n > 2), it reconstructs
B_2' (e.g., B_2' = M_2 || H(B_3), or if n=2, B_2' = M_2 ||
H(termination_marker)). Bob then computes H(B_2') and compares it
against the stored H(B_2) that was verified in the previous step.

This process continues until the last block is received and verified.

Now, applying this to the BPF signing use-case, we simplify to two messages:

    M_1 = I_loader (the instructions of the loader program)
    M_2 = M_metadata (the metadata for the loader program, passed in a
map, which includes the programs to be loaded and other context)

For this specific BPF case, we will directly sign a composite of the
first message and the hash of the second. Let H_meta = H(M_metadata).
The block to be signed is effectively:

    B_signed = I_loader || H_meta

The signature generated is Sig(B_signed).

The process then follows a similar pattern to the Alice and Bob model,
where the kernel (Bob) verifies I_loader and H_meta using the
signature. Then, the trusted I_loader is responsible for verifying
M_metadata against the trusted H_meta.

From an implementation standpoint:

# Build

bpftool (or some other tool in a trusted build environment) knows
about the metadata (M_metadata) and the loader program (I_loader). It
first calculates H_meta = H(M_metadata). Then it constructs the object
to be signed and computes the signature:

    Sig(I_loader || H_meta)

# Loader

The loader program and the metadata are a hermetic representation of the source
of the eBPF program, its maps and context. The loader program is generated by
libbpf as a part of a standard API i.e. bpf_object__gen_loader.

## Supply chain

While users can use light skeletons as a convenient method to use signing
support, they can directly use the loader program generation using libbpf
(bpf_object__gen_loader) into their own trusted toolchains.

libbpf, which has access to the program's instruction buffer is a key part of
the TCB of the build environment

An advanced threat model that does not intend to depend on libbpf (or any provenant
userspace BPF libraries) due to supply chain risks despite it being developed
in the kernel source and by the kernel community will require reimplmenting a
lot of the core BPF userspace support (like instruction relocation, map handling).

Such an advanced user would also need to integrate the generation of the loader
into their toolchain.

Given that many use-cases (e.g. Cilium) generate trusted BPF programs,
trusted loaders are an inevitability and a requirement for signing support, a
entrusting loader programs will be a fundamental requirement for an security
policy.

The initial instructions of the loader program verify the SHA256 hash
of the metadata (M_metadata) that will be passed in a map. These instructions
effectively embed the precomputed H_meta as immediate values.

    ld_imm64 r1, const_ptr_to_map // insn[0].src_reg == BPF_PSEUDO_MAP_IDX
    r2 = *(u64 *)(r1 + 0);
    ld_imm64 r3, sha256_of_map_part1 // precomputed by bpf_object__gen_load/libbpf (H_meta_1)
    if r2 != r3 goto out;

    r2 = *(u64 *)(r1 + 8);
    ld_imm64 r3, sha256_of_map_part2 // precomputed by bpf_object__gen_load/libbpf (H_meta_2)
    if r2 != r3 goto out;

    r2 = *(u64 *)(r1 + 16);
    ld_imm64 r3, sha256_of_map_part3 // precomputed by bpf_object__gen_load/libbpf (H_meta_3)
    if r2 != r3 goto out;

    r2 = *(u64 *)(r1 + 24);
    ld_imm64 r3, sha256_of_map_part4 // precomputed by bpf_object__gen_load/libbpf (H_meta_4)
    if r2 != r3 goto out;
    ...

This implicitly makes the payload equivalent to the signed block (B_signed)

    I_loader || H_meta

bpftool then generates the signature of this I_loader payload (which
now contains the expected H_meta) using a key and an identity:

This signature is stored in bpf_attr, which is extended as follows for
the BPF_PROG_LOAD command:

    __aligned_u64 signature;
    __u32 signature_size;
    __u32 keyring_id;

The reasons for a simpler UAPI is that it's more future proof (e.g.) with more
stable instruction buffers, loader programs being directly into the compilers.
A simple API also allows simple programs e.g. for networking that don't need
loader programs to directly use signing.

# Extending OBJ_GET_INFO_BY_FD for hashes

OBJ_GET_INFO_BY_FD is used to get information about BPF objects (maps, programs, links) and
returning the hash of the map is a natural extension of the UAPI as it can be
helpful for debugging, fingerprinting etc.

Currently, it's only implemented for BPF_MAP_TYPE_ARRAY. It can be trivially
extended for BPF programs to return the complete SHA256 along with the tag.

The SHA is stored in struct bpf_map for exclusive and frozen maps

    struct bpf_map {
    +   u64 sha[4];
        const struct bpf_map_ops *ops;
        struct bpf_map *inner_map_meta;
    };

## Exclusive BPF maps

Exclusivity ensures that the map can only be used by a future BPF
program whose SHA256 hash matches sha256_of_future_prog.

First, bpf_prog_calc_tag() is updated to compute the SHA256 instead of
SHA1, and this hash is stored in struct bpf_prog_aux:

    @@ -1588,6 +1588,7 @@ struct bpf_prog_aux {
         int cgroup_atype; /* enum cgroup_bpf_attach_type */
         struct bpf_map *cgroup_storage[MAX_BPF_CGROUP_STORAGE_TYPE];
         char name[BPF_OBJ_NAME_LEN];
    +    u64 sha[4];
         u64 (*bpf_exception_cb)(u64 cookie, u64 sp, u64 bp, u64, u64);
         // ...
    };

An exclusive is created by passing an excl_prog_hash
(and excl_prog_hash_size) in the BPF_MAP_CREATE command.
When a BPF program is subsequently loaded and it attempts to use this map,
the kernel will compare the program's own SHA256 hash against the one
registered with the map, if matching, it will be added to prog->used_maps[].

The program load will fail if the hashes do not match or if the map is
already in use by another (non-matching) exclusive program.

Exclusive maps ensure that no other BPF programs and compromise the intergity of
the map post the signature verification.

NOTE: Exclusive maps cannot be added as inner maps.

# Light Skeleton Sequence (Userspace Example)

	err = map_fd = skel_map_create(BPF_MAP_TYPE_ARRAY, "__loader.map",
				       opts->excl_prog_hash,
				       opts->excl_prog_hash_sz, 4,
				       opts->data_sz, 1);
	err = skel_map_update_elem(map_fd, &key, opts->data, 0);

	err = skel_map_freeze(map_fd);

	// Kernel computes the hash of the map.
	err = skel_obj_get_info_by_fd(map_fd);

	memset(&attr, 0, prog_load_attr_sz);
	attr.prog_type = BPF_PROG_TYPE_SYSCALL;
	attr.insns = (long) opts->insns;
	attr.insn_cnt = opts->insns_sz / sizeof(struct bpf_insn);
	attr.signature = (long) opts->signature;
	attr.signature_size = opts->signature_sz;
	attr.keyring_id = opts->keyring_id;
	attr.license = (long) "Dual BSD/GPL";

The kernel will:

    * Compute the hash of the provided I_loader bytecode.
    * Verify the signature against this computed hash.
    * Check if the metadata map (now exclusive) is intended for this
      program's hash.

The signature check happens in BPF_PROG_LOAD before the security_bpf_prog
LSM hook.

This ensures that the loaded loader program (I_loader), including the
embedded expected hash of the metadata (H_meta), is trusted.
Since the loader program is now trusted, it can be entrusted to verify
the actual metadata (M_metadata) read from the (now exclusive and
frozen) map against the embedded (and trusted) H_meta. There is no
Time-of-Check-Time-of-Use (TOCTOU) vulnerability here because:

    * The signature covers the I_loader and its embedded H_meta.
    * The metadata map M_metadata is frozen before the loader program is loaded
      and associated with it.
    * The map is made exclusive to the specific (signed and verified)
      loader program.

[1] https://lore.kernel.org/bpf/CACYkzJ6VQUExfyt0=-FmXz46GHJh3d=FXh5j4KfexcEFbHV-vg@mail.gmail.com/#t


KP Singh (12):
  bpf: Update the bpf_prog_calc_tag to use SHA256
  bpf: Implement exclusive map creation
  libbpf: Implement SHA256 internal helper
  libbpf: Support exclusive map creation
  selftests/bpf: Add tests for exclusive maps
  bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD
  bpf: Move the signature kfuncs to helpers.c
  bpf: Implement signature verification for BPF programs
  libbpf: Update light skeleton for signing
  libbpf: Embed and verify the metadata hash in the loader
  bpftool: Add support for signing BPF programs
  selftests/bpf: Enable signature verification for some lskel tests

 crypto/asymmetric_keys/pkcs7_verify.c         |   1 +
 include/linux/bpf.h                           |  42 +++-
 include/linux/filter.h                        |   6 -
 include/linux/verification.h                  |   1 +
 include/uapi/linux/bpf.h                      |  14 ++
 kernel/bpf/Kconfig                            |   2 +-
 kernel/bpf/arraymap.c                         |  13 ++
 kernel/bpf/core.c                             |  50 +----
 kernel/bpf/helpers.c                          | 166 ++++++++++++++
 kernel/bpf/syscall.c                          |  97 +++++++-
 kernel/bpf/verifier.c                         |   6 +
 kernel/trace/bpf_trace.c                      | 183 ---------------
 .../bpf/bpftool/Documentation/bpftool-gen.rst |  16 +-
 .../bpftool/Documentation/bpftool-prog.rst    |  18 +-
 tools/bpf/bpftool/Makefile                    |   6 +-
 tools/bpf/bpftool/cgroup.c                    |   4 +
 tools/bpf/bpftool/gen.c                       |  60 ++++-
 tools/bpf/bpftool/main.c                      |  26 ++-
 tools/bpf/bpftool/main.h                      |  11 +
 tools/bpf/bpftool/prog.c                      |  27 ++-
 tools/bpf/bpftool/sign.c                      | 212 ++++++++++++++++++
 tools/include/uapi/linux/bpf.h                |  14 ++
 tools/lib/bpf/bpf.c                           |   6 +-
 tools/lib/bpf/bpf.h                           |   4 +-
 tools/lib/bpf/bpf_gen_internal.h              |   2 +
 tools/lib/bpf/gen_loader.c                    |  55 +++++
 tools/lib/bpf/libbpf.c                        | 125 +++++++++++
 tools/lib/bpf/libbpf.h                        |  21 +-
 tools/lib/bpf/libbpf.map                      |   2 +
 tools/lib/bpf/libbpf_internal.h               |   4 +
 tools/lib/bpf/skel_internal.h                 |  75 ++++++-
 tools/testing/selftests/bpf/.gitignore        |   1 +
 tools/testing/selftests/bpf/Makefile          |  35 ++-
 .../selftests/bpf/prog_tests/map_excl.c       |  56 +++++
 tools/testing/selftests/bpf/progs/map_excl.c  |  34 +++
 .../selftests/bpf/progs/verifier_map_ptr.c    |   7 +-
 tools/testing/selftests/bpf/test_progs.c      |  13 ++
 .../testing/selftests/bpf/verify_sig_setup.sh |  13 +-
 38 files changed, 1161 insertions(+), 267 deletions(-)
 create mode 100644 tools/bpf/bpftool/sign.c
 create mode 100644 tools/testing/selftests/bpf/prog_tests/map_excl.c
 create mode 100644 tools/testing/selftests/bpf/progs/map_excl.c

-- 
2.43.0

[PATCH v3 01/12] bpf: Update the bpf_prog_calc_tag to use SHA256

[KP Singh]

Exclusive maps restrict map access to specific programs using a hash.
The current hash used for this is SHA1, which is prone to collisions.
This patch uses SHA256, which  is more resilient against
collisions. This new hash is stored in bpf_prog and used by the verifier
to determine if a program can access a given exclusive map.

The original 64-bit tags are kept, as they are used by users as a short,
possibly colliding program identifier for non-security purposes.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/bpf.h    |  6 ++++-
 include/linux/filter.h |  6 -----
 kernel/bpf/Kconfig     |  2 +-
 kernel/bpf/core.c      | 50 +++++++-----------------------------------
 4 files changed, 14 insertions(+), 50 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index e7ee089e8a31..b98c5b5bf2a1 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -31,6 +31,7 @@
 #include <linux/memcontrol.h>
 #include <linux/cfi.h>
 #include <asm/rqspinlock.h>
+#include <crypto/sha2.h>
 
 struct bpf_verifier_env;
 struct bpf_verifier_log;
@@ -1711,7 +1712,10 @@ struct bpf_prog {
 	enum bpf_attach_type	expected_attach_type; /* For some prog types */
 	u32			len;		/* Number of filter blocks */
 	u32			jited_len;	/* Size of jited insns in bytes */
-	u8			tag[BPF_TAG_SIZE];
+	union {
+		u8 digest[SHA256_DIGEST_SIZE];
+		u8 tag[BPF_TAG_SIZE];
+	};
 	struct bpf_prog_stats __percpu *stats;
 	int __percpu		*active;
 	unsigned int		(*bpf_func)(const void *ctx,
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 1e7fd3ee759e..1bcc81ab3227 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -997,12 +997,6 @@ static inline u32 bpf_prog_insn_size(const struct bpf_prog *prog)
 	return prog->len * sizeof(struct bpf_insn);
 }
 
-static inline u32 bpf_prog_tag_scratch_size(const struct bpf_prog *prog)
-{
-	return round_up(bpf_prog_insn_size(prog) +
-			sizeof(__be64) + 1, SHA1_BLOCK_SIZE);
-}
-
 static inline unsigned int bpf_prog_size(unsigned int proglen)
 {
 	return max(sizeof(struct bpf_prog),
diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index 17067dcb4386..eb3de35734f0 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -3,7 +3,7 @@
 # BPF interpreter that, for example, classic socket filters depend on.
 config BPF
 	bool
-	select CRYPTO_LIB_SHA1
+	select CRYPTO_LIB_SHA256
 
 # Used by archs to tell that they support BPF JIT compiler plus which
 # flavour. Only one of the two can be selected for a specific arch since
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 5d1650af899d..d1a7ea759c82 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -38,6 +38,7 @@
 #include <linux/bpf_mem_alloc.h>
 #include <linux/memcontrol.h>
 #include <linux/execmem.h>
+#include <crypto/sha2.h>
 
 #include <asm/barrier.h>
 #include <linux/unaligned.h>
@@ -293,28 +294,18 @@ void __bpf_prog_free(struct bpf_prog *fp)
 
 int bpf_prog_calc_tag(struct bpf_prog *fp)
 {
-	const u32 bits_offset = SHA1_BLOCK_SIZE - sizeof(__be64);
-	u32 raw_size = bpf_prog_tag_scratch_size(fp);
-	u32 digest[SHA1_DIGEST_WORDS];
-	u32 ws[SHA1_WORKSPACE_WORDS];
-	u32 i, bsize, psize, blocks;
+	u32 insn_size = bpf_prog_insn_size(fp);
 	struct bpf_insn *dst;
 	bool was_ld_map;
-	u8 *raw, *todo;
-	__be32 *result;
-	__be64 *bits;
+	int i, ret = 0;
 
-	raw = vmalloc(raw_size);
-	if (!raw)
+	dst = vmalloc(insn_size);
+	if (!dst)
 		return -ENOMEM;
 
-	sha1_init_raw(digest);
-	memset(ws, 0, sizeof(ws));
-
 	/* We need to take out the map fd for the digest calculation
 	 * since they are unstable from user space side.
 	 */
-	dst = (void *)raw;
 	for (i = 0, was_ld_map = false; i < fp->len; i++) {
 		dst[i] = fp->insnsi[i];
 		if (!was_ld_map &&
@@ -334,34 +325,9 @@ int bpf_prog_calc_tag(struct bpf_prog *fp)
 			was_ld_map = false;
 		}
 	}
-
-	psize = bpf_prog_insn_size(fp);
-	memset(&raw[psize], 0, raw_size - psize);
-	raw[psize++] = 0x80;
-
-	bsize  = round_up(psize, SHA1_BLOCK_SIZE);
-	blocks = bsize / SHA1_BLOCK_SIZE;
-	todo   = raw;
-	if (bsize - psize >= sizeof(__be64)) {
-		bits = (__be64 *)(todo + bsize - sizeof(__be64));
-	} else {
-		bits = (__be64 *)(todo + bsize + bits_offset);
-		blocks++;
-	}
-	*bits = cpu_to_be64((psize - 1) << 3);
-
-	while (blocks--) {
-		sha1_transform(digest, todo, ws);
-		todo += SHA1_BLOCK_SIZE;
-	}
-
-	result = (__force __be32 *)digest;
-	for (i = 0; i < SHA1_DIGEST_WORDS; i++)
-		result[i] = cpu_to_be32(digest[i]);
-	memcpy(fp->tag, result, sizeof(fp->tag));
-
-	vfree(raw);
-	return 0;
+	sha256((u8 *)dst, insn_size, fp->digest);
+	vfree(dst);
+	return ret;
 }
 
 static int bpf_adj_delta_to_imm(struct bpf_insn *insn, u32 pos, s32 end_old,
-- 
2.43.0

[PATCH v3 02/12] bpf: Implement exclusive map creation

[KP Singh]

Exclusive maps allow maps to only be accessed by program with a
program with a matching hash which is specified in the excl_prog_hash
attr.

For the signing use-case, this allows the trusted loader program
to load the map and verify the integrity

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/bpf.h            |  1 +
 include/uapi/linux/bpf.h       |  2 ++
 kernel/bpf/syscall.c           | 32 ++++++++++++++++++++++++++++----
 kernel/bpf/verifier.c          |  6 ++++++
 tools/include/uapi/linux/bpf.h |  2 ++
 5 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index b98c5b5bf2a1..b23804733f2f 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -329,6 +329,7 @@ struct bpf_map {
 	atomic64_t sleepable_refcnt;
 	s64 __percpu *elem_count;
 	u64 cookie; /* write-once */
+	char *excl_prog_sha;
 };
 
 static inline const char *btf_field_type_name(enum btf_field_type type)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 233de8677382..7873ba7b9468 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1522,6 +1522,8 @@ union bpf_attr {
 		 * If provided, map_flags should have BPF_F_TOKEN_FD flag set.
 		 */
 		__s32	map_token_fd;
+		__u32 excl_prog_hash_size;
+		__aligned_u64 excl_prog_hash;
 	};
 
 	struct { /* anonymous struct used by BPF_MAP_*_ELEM and BPF_MAP_FREEZE commands */
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 0fbfa8532c39..943811165510 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -860,6 +860,7 @@ static void bpf_map_free(struct bpf_map *map)
 	 * the free of values or special fields allocated from bpf memory
 	 * allocator.
 	 */
+	kfree(map->excl_prog_sha);
 	migrate_disable();
 	map->ops->map_free(map);
 	migrate_enable();
@@ -1338,9 +1339,9 @@ static bool bpf_net_capable(void)
 	return capable(CAP_NET_ADMIN) || capable(CAP_SYS_ADMIN);
 }
 
-#define BPF_MAP_CREATE_LAST_FIELD map_token_fd
+#define BPF_MAP_CREATE_LAST_FIELD excl_prog_hash
 /* called via syscall */
-static int map_create(union bpf_attr *attr, bool kernel)
+static int map_create(union bpf_attr *attr, bpfptr_t uattr)
 {
 	const struct bpf_map_ops *ops;
 	struct bpf_token *token = NULL;
@@ -1534,7 +1535,30 @@ static int map_create(union bpf_attr *attr, bool kernel)
 			attr->btf_vmlinux_value_type_id;
 	}
 
-	err = security_bpf_map_create(map, attr, token, kernel);
+	if (attr->excl_prog_hash) {
+		bpfptr_t uprog_hash = make_bpfptr(attr->excl_prog_hash, uattr.is_kernel);
+
+		if (attr->excl_prog_hash_size != SHA256_DIGEST_SIZE) {
+			err = -EINVAL;
+			goto free_map;
+		}
+
+		map->excl_prog_sha = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL);
+		if (!map->excl_prog_sha) {
+			err = -ENOMEM;
+			goto free_map;
+		}
+
+		if (copy_from_bpfptr(map->excl_prog_sha, uprog_hash,
+				     SHA256_DIGEST_SIZE)) {
+			err = -EFAULT;
+			goto free_map;
+		}
+	} else if (attr->excl_prog_hash_size) {
+		return -EINVAL;
+	}
+
+	err = security_bpf_map_create(map, attr, token, uattr.is_kernel);
 	if (err)
 		goto free_map_sec;
 
@@ -6008,7 +6032,7 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size)
 
 	switch (cmd) {
 	case BPF_MAP_CREATE:
-		err = map_create(&attr, uattr.is_kernel);
+		err = map_create(&attr, uattr);
 		break;
 	case BPF_MAP_LOOKUP_ELEM:
 		err = map_lookup_elem(&attr);
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 3a3982fe20d4..2dd4449b946b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -20360,6 +20360,12 @@ static int check_map_prog_compatibility(struct bpf_verifier_env *env,
 {
 	enum bpf_prog_type prog_type = resolve_prog_type(prog);
 
+	if (map->excl_prog_sha &&
+	    memcmp(map->excl_prog_sha, prog->digest, SHA256_DIGEST_SIZE)) {
+		verbose(env, "program's hash doesn't match map's excl_prog_hash\n");
+		return -EACCES;
+	}
+
 	if (btf_record_has_field(map->record, BPF_LIST_HEAD) ||
 	    btf_record_has_field(map->record, BPF_RB_ROOT)) {
 		if (is_tracing_prog_type(prog_type)) {
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 233de8677382..7873ba7b9468 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1522,6 +1522,8 @@ union bpf_attr {
 		 * If provided, map_flags should have BPF_F_TOKEN_FD flag set.
 		 */
 		__s32	map_token_fd;
+		__u32 excl_prog_hash_size;
+		__aligned_u64 excl_prog_hash;
 	};
 
 	struct { /* anonymous struct used by BPF_MAP_*_ELEM and BPF_MAP_FREEZE commands */
-- 
2.43.0

[PATCH v3 03/12] libbpf: Implement SHA256 internal helper

[KP Singh]

Use AF_ALG sockets to not have libbpf depend on OpenSSL. The helper is
used for the loader generation code to embed the metadata hash in the
loader program and also by the bpf_map__make_exclusive API to calculate
the hash of the program the map is exclusive to.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 tools/lib/bpf/libbpf.c          | 59 +++++++++++++++++++++++++++++++++
 tools/lib/bpf/libbpf_internal.h |  4 +++
 2 files changed, 63 insertions(+)

diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 8f5a81b672e1..0bb3d71dcd9f 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -43,6 +43,9 @@
 #include <sys/vfs.h>
 #include <sys/utsname.h>
 #include <sys/resource.h>
+#include <sys/socket.h>
+#include <linux/if_alg.h>
+#include <linux/socket.h>
 #include <libelf.h>
 #include <gelf.h>
 #include <zlib.h>
@@ -14207,3 +14210,59 @@ void bpf_object__destroy_skeleton(struct bpf_object_skeleton *s)
 	free(s->progs);
 	free(s);
 }
+
+int libbpf_sha256(const void *data, size_t data_sz, void *sha_out, size_t sha_out_sz)
+{
+	struct sockaddr_alg sa = {
+		.salg_family = AF_ALG,
+		.salg_type   = "hash",
+		.salg_name   = "sha256"
+	};
+	int sock_fd = -1;
+	int op_fd = -1;
+	int err = 0;
+
+	if (sha_out_sz != SHA256_DIGEST_LENGTH) {
+		pr_warn("sha_out_sz should be exactly 32 bytes for a SHA256 digest");
+		return libbpf_err(-EINVAL);
+	}
+
+	sock_fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+	if (sock_fd < 0) {
+		err = -errno;
+		pr_warn("failed to create AF_ALG socket for SHA256: %s\n", errstr(err));
+		return libbpf_err(err);
+	}
+
+	if (bind(sock_fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
+		err = -errno;
+		pr_warn("failed to bind to AF_ALG socket for SHA256: %s\n", errstr(err));
+		goto out;
+	}
+
+	op_fd = accept(sock_fd, NULL, 0);
+	if (op_fd < 0) {
+		err = -errno;
+		pr_warn("failed to accept from AF_ALG socket for SHA256: %s\n", errstr(err));
+		goto out;
+	}
+
+	if (write(op_fd, data, data_sz) != data_sz) {
+		err = -errno;
+		pr_warn("failed to write data to AF_ALG socket for SHA256: %s\n", errstr(err));
+		goto out;
+	}
+
+	if (read(op_fd, sha_out, SHA256_DIGEST_LENGTH) != SHA256_DIGEST_LENGTH) {
+		err = -errno;
+		pr_warn("failed to read SHA256 from AF_ALG socket: %s\n", errstr(err));
+		goto out;
+	}
+
+out:
+	if (op_fd >= 0)
+		close(op_fd);
+	if (sock_fd >= 0)
+		close(sock_fd);
+	return libbpf_err(err);
+}
diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h
index 477a3b3389a0..8a055de0d324 100644
--- a/tools/lib/bpf/libbpf_internal.h
+++ b/tools/lib/bpf/libbpf_internal.h
@@ -736,4 +736,8 @@ int elf_resolve_pattern_offsets(const char *binary_path, const char *pattern,
 
 int probe_fd(int fd);
 
+#define SHA256_DIGEST_LENGTH 32
+#define SHA256_DWORD_SIZE SHA256_DIGEST_LENGTH / sizeof(__u64)
+
+int libbpf_sha256(const void *data, size_t data_sz, void *sha_out, size_t sha_out_sz);
 #endif /* __LIBBPF_LIBBPF_INTERNAL_H */
-- 
2.43.0

[PATCH v3 04/12] libbpf: Support exclusive map creation

[KP Singh]

Implement setters and getters that allow map to be registers as
exclusive to the specified program. The registration should be done
before the exclusive program is loaded.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 tools/lib/bpf/bpf.c      |  4 ++-
 tools/lib/bpf/bpf.h      |  4 ++-
 tools/lib/bpf/libbpf.c   | 66 ++++++++++++++++++++++++++++++++++++++++
 tools/lib/bpf/libbpf.h   | 18 +++++++++++
 tools/lib/bpf/libbpf.map |  2 ++
 5 files changed, 92 insertions(+), 2 deletions(-)

diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
index ab40dbf9f020..6a08a1559237 100644
--- a/tools/lib/bpf/bpf.c
+++ b/tools/lib/bpf/bpf.c
@@ -172,7 +172,7 @@ int bpf_map_create(enum bpf_map_type map_type,
 		   __u32 max_entries,
 		   const struct bpf_map_create_opts *opts)
 {
-	const size_t attr_sz = offsetofend(union bpf_attr, map_token_fd);
+	const size_t attr_sz = offsetofend(union bpf_attr, excl_prog_hash);
 	union bpf_attr attr;
 	int fd;
 
@@ -203,6 +203,8 @@ int bpf_map_create(enum bpf_map_type map_type,
 	attr.map_ifindex = OPTS_GET(opts, map_ifindex, 0);
 
 	attr.map_token_fd = OPTS_GET(opts, token_fd, 0);
+	attr.excl_prog_hash = ptr_to_u64(OPTS_GET(opts, excl_prog_hash, NULL));
+	attr.excl_prog_hash_size = OPTS_GET(opts, excl_prog_hash_size, 0);
 
 	fd = sys_bpf_fd(BPF_MAP_CREATE, &attr, attr_sz);
 	return libbpf_err_errno(fd);
diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
index 7252150e7ad3..675a09bb7d2f 100644
--- a/tools/lib/bpf/bpf.h
+++ b/tools/lib/bpf/bpf.h
@@ -54,9 +54,11 @@ struct bpf_map_create_opts {
 	__s32 value_type_btf_obj_fd;
 
 	__u32 token_fd;
+	__u32 excl_prog_hash_size;
+	const void *excl_prog_hash;
 	size_t :0;
 };
-#define bpf_map_create_opts__last_field token_fd
+#define bpf_map_create_opts__last_field excl_prog_hash
 
 LIBBPF_API int bpf_map_create(enum bpf_map_type map_type,
 			      const char *map_name,
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 0bb3d71dcd9f..ed3294f69271 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -499,6 +499,7 @@ struct bpf_program {
 	__u32 line_info_rec_size;
 	__u32 line_info_cnt;
 	__u32 prog_flags;
+	__u8  hash[SHA256_DIGEST_LENGTH];
 };
 
 struct bpf_struct_ops {
@@ -578,6 +579,7 @@ struct bpf_map {
 	bool autocreate;
 	bool autoattach;
 	__u64 map_extra;
+	struct bpf_program *excl_prog;
 };
 
 enum extern_type {
@@ -4488,6 +4490,43 @@ bpf_object__section_to_libbpf_map_type(const struct bpf_object *obj, int shndx)
 	}
 }
 
+static int bpf_program__compute_hash(struct bpf_program *prog)
+{
+	struct bpf_insn *purged;
+	int i, err;
+
+	purged = calloc(1, BPF_INSN_SZ * prog->insns_cnt);
+	if (!purged)
+		return -ENOMEM;
+
+	/* If relocations have been done, the map_fd needs to be
+	 * discarded for the digest calculation.
+	 */
+	for (i = 0; i < prog->insns_cnt; i++) {
+		purged[i] = prog->insns[i];
+		if (purged[i].code == (BPF_LD | BPF_IMM | BPF_DW) &&
+		    (purged[i].src_reg == BPF_PSEUDO_MAP_FD ||
+		     purged[i].src_reg == BPF_PSEUDO_MAP_VALUE)) {
+			purged[i].imm = 0;
+			i++;
+			if (i >= prog->insns_cnt ||
+			    prog->insns[i].code != 0 ||
+			    prog->insns[i].dst_reg != 0 ||
+			    prog->insns[i].src_reg != 0 ||
+			    prog->insns[i].off != 0) {
+				err = -EINVAL;
+				goto out;
+			}
+			purged[i] = prog->insns[i];
+			purged[i].imm = 0;
+		}
+	}
+	err = libbpf_sha256(purged, prog->insns_cnt * sizeof(struct bpf_insn), prog->hash, SHA256_DIGEST_LENGTH);
+out:
+	free(purged);
+	return err;
+}
+
 static int bpf_program__record_reloc(struct bpf_program *prog,
 				     struct reloc_desc *reloc_desc,
 				     __u32 insn_idx, const char *sym_name,
@@ -5227,6 +5266,18 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b
 	create_attr.token_fd = obj->token_fd;
 	if (obj->token_fd)
 		create_attr.map_flags |= BPF_F_TOKEN_FD;
+	if (map->excl_prog) {
+		if (map->excl_prog->obj->state == OBJ_LOADED) {
+			pr_warn("exclusive program already loaded\n");
+			return libbpf_err(-EINVAL);
+		}
+		err = bpf_program__compute_hash(map->excl_prog);
+		if (err)
+			return err;
+
+		create_attr.excl_prog_hash = map->excl_prog->hash;
+		create_attr.excl_prog_hash_size = SHA256_DIGEST_LENGTH;
+	}
 
 	if (bpf_map__is_struct_ops(map)) {
 		create_attr.btf_vmlinux_value_type_id = map->btf_vmlinux_value_type_id;
@@ -10517,6 +10568,21 @@ int bpf_map__set_inner_map_fd(struct bpf_map *map, int fd)
 	return 0;
 }
 
+int bpf_map__set_exclusive_program(struct bpf_map *map, struct bpf_program *prog)
+{
+	if (map_is_created(map)) {
+		pr_warn("exclusive programs must be set before map creation\n");
+		return libbpf_err(-EINVAL);
+	}
+	map->excl_prog = prog;
+	return 0;
+}
+
+struct bpf_program *bpf_map__get_exclusive_program(struct bpf_map *map)
+{
+	return map->excl_prog;
+}
+
 static struct bpf_map *
 __bpf_map__iter(const struct bpf_map *m, const struct bpf_object *obj, int i)
 {
diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h
index 455a957cb702..ddaf58c8a298 100644
--- a/tools/lib/bpf/libbpf.h
+++ b/tools/lib/bpf/libbpf.h
@@ -1266,7 +1266,25 @@ LIBBPF_API int bpf_map__lookup_and_delete_elem(const struct bpf_map *map,
  */
 LIBBPF_API int bpf_map__get_next_key(const struct bpf_map *map,
 				     const void *cur_key, void *next_key, size_t key_sz);
+/**
+ * @brief **bpf_map__set_exclusive_program()** sets map to be exclusive to the
+ * to the specified program. The program must not be loaded yet.
+ * @param map BPF map to make exclusive.
+ * @param prog BPF program to be the exclusive user of the map.
+ * @return 0 on success; a negative error code otherwise.
+ *
+ * Once a map is made exclusive, only the specified program can access its
+ * contents.
+ */
+LIBBPF_API int bpf_map__set_exclusive_program(struct bpf_map *map, struct bpf_program *prog);
 
+/**
+ * @brief **bpf_map__get_exclusive_program()** returns the exclusive program
+ * that is registered with the map (if any).
+ * @param map BPF map to which the exclusive program is registered.
+ * @return the registered exclusive program.
+ */
+LIBBPF_API struct bpf_program *bpf_map__get_exclusive_program(struct bpf_map *map);
 struct bpf_xdp_set_link_opts {
 	size_t sz;
 	int old_fd;
diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map
index d7bd463e7017..a5c5d0f2db5c 100644
--- a/tools/lib/bpf/libbpf.map
+++ b/tools/lib/bpf/libbpf.map
@@ -436,6 +436,8 @@ LIBBPF_1.6.0 {
 		bpf_linker__add_buf;
 		bpf_linker__add_fd;
 		bpf_linker__new_fd;
+		bpf_map__set_exclusive_program;
+		bpf_map__get_exclusive_program;
 		bpf_object__prepare;
 		bpf_prog_stream_read;
 		bpf_program__attach_cgroup_opts;
-- 
2.43.0

[PATCH v3 05/12] selftests/bpf: Add tests for exclusive maps

[KP Singh]

Check if access is denied to another program for an exclusive map

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 .../selftests/bpf/prog_tests/map_excl.c       | 56 +++++++++++++++++++
 tools/testing/selftests/bpf/progs/map_excl.c  | 34 +++++++++++
 2 files changed, 90 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/map_excl.c
 create mode 100644 tools/testing/selftests/bpf/progs/map_excl.c

diff --git a/tools/testing/selftests/bpf/prog_tests/map_excl.c b/tools/testing/selftests/bpf/prog_tests/map_excl.c
new file mode 100644
index 000000000000..7a49917c691a
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/map_excl.c
@@ -0,0 +1,56 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (C) 2023. Huawei Technologies Co., Ltd */
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <test_progs.h>
+#include <bpf/btf.h>
+
+#include "map_excl.skel.h"
+
+static void test_map_excl_allowed(void)
+{
+	struct map_excl *skel = map_excl__open();
+	int err;
+
+	err = bpf_map__set_exclusive_program(skel->maps.excl_map, skel->progs.should_have_access);
+	if (!ASSERT_OK(err, "bpf_map__set_exclusive_program"))
+		goto out;
+
+	bpf_program__set_autoload(skel->progs.should_have_access, true);
+	bpf_program__set_autoload(skel->progs.should_not_have_access, false);
+
+	err = map_excl__load(skel);
+	ASSERT_OK(err, "map_excl__load");
+out:
+	map_excl__destroy(skel);
+}
+
+static void test_map_excl_denied(void)
+{
+	struct map_excl *skel = map_excl__open();
+	int err;
+
+	err = bpf_map__set_exclusive_program(skel->maps.excl_map, skel->progs.should_have_access);
+	if (!ASSERT_OK(err, "bpf_map__make_exclusive"))
+		goto out;
+
+	bpf_program__set_autoload(skel->progs.should_have_access, false);
+	bpf_program__set_autoload(skel->progs.should_not_have_access, true);
+
+	err = map_excl__load(skel);
+	ASSERT_EQ(err, -EACCES, "exclusive map Paccess not denied\n");
+out:
+	map_excl__destroy(skel);
+
+}
+
+void test_map_excl(void)
+{
+	start_libbpf_log_capture();
+	if (test__start_subtest("map_excl_allowed"))
+		test_map_excl_allowed();
+	stop_libbpf_log_capture();
+	if (test__start_subtest("map_excl_denied"))
+		test_map_excl_denied();
+}
diff --git a/tools/testing/selftests/bpf/progs/map_excl.c b/tools/testing/selftests/bpf/progs/map_excl.c
new file mode 100644
index 000000000000..26c32b4f2ce0
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/map_excl.c
@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (C) 2023. Huawei Technologies Co., Ltd */
+#include <linux/bpf.h>
+#include <time.h>
+#include <bpf/bpf_helpers.h>
+
+#include "bpf_misc.h"
+
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__type(key, __u32);
+	__type(value, __u32);
+	__uint(max_entries, 1);
+} excl_map SEC(".maps");
+
+char _license[] SEC("license") = "GPL";
+
+SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")
+int should_have_access(void *ctx)
+{
+	int key = 0, value = 0xdeadbeef;
+
+	bpf_map_update_elem(&excl_map, &key, &value, 0);
+	return 0;
+}
+
+SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")
+int should_not_have_access(void *ctx)
+{
+	int key = 0, value = 0xdeadbeef;
+
+	bpf_map_update_elem(&excl_map, &key, &value, 0);
+	return 0;
+}
-- 
2.43.0

[PATCH v3 06/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD

[KP Singh]

Currently only array maps are supported, but the implementation can be
extended for other maps and objects. The hash is memoized only for
exclusive and frozen maps as their content is stable until the exclusive
program modifies the map.

This is required  for BPF signing, enabling a trusted loader program to
verify a map's integrity. The loader retrieves
the map's runtime hash from the kernel and compares it against an
expected hash computed at build time.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/bpf.h                           |  3 +++
 include/uapi/linux/bpf.h                      |  2 ++
 kernel/bpf/arraymap.c                         | 13 +++++++++++
 kernel/bpf/syscall.c                          | 23 +++++++++++++++++++
 tools/include/uapi/linux/bpf.h                |  2 ++
 .../selftests/bpf/progs/verifier_map_ptr.c    |  7 ++++--
 6 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index b23804733f2f..b12a0645c2a3 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -7,6 +7,7 @@
 #include <uapi/linux/bpf.h>
 #include <uapi/linux/filter.h>
 
+#include <crypto/sha2.h>
 #include <linux/workqueue.h>
 #include <linux/file.h>
 #include <linux/percpu.h>
@@ -110,6 +111,7 @@ struct bpf_map_ops {
 	long (*map_pop_elem)(struct bpf_map *map, void *value);
 	long (*map_peek_elem)(struct bpf_map *map, void *value);
 	void *(*map_lookup_percpu_elem)(struct bpf_map *map, void *key, u32 cpu);
+	int (*map_get_hash)(struct bpf_map *map, u32 hash_buf_size, void *hash_buf);
 
 	/* funcs called by prog_array and perf_event_array map */
 	void *(*map_fd_get_ptr)(struct bpf_map *map, struct file *map_file,
@@ -289,6 +291,7 @@ struct bpf_map_owner {
 };
 
 struct bpf_map {
+	u8 sha[SHA256_DIGEST_SIZE];
 	const struct bpf_map_ops *ops;
 	struct bpf_map *inner_map_meta;
 #ifdef CONFIG_SECURITY
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 7873ba7b9468..fd3b895ebebf 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -6668,6 +6668,8 @@ struct bpf_map_info {
 	__u32 btf_value_type_id;
 	__u32 btf_vmlinux_id;
 	__u64 map_extra;
+	__aligned_u64 hash;
+	__u32 hash_size;
 } __attribute__((aligned(8)));
 
 struct bpf_btf_info {
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
index 3d080916faf9..26d5dda989bc 100644
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -12,6 +12,7 @@
 #include <uapi/linux/btf.h>
 #include <linux/rcupdate_trace.h>
 #include <linux/btf_ids.h>
+#include <crypto/sha2.h>
 
 #include "map_in_map.h"
 
@@ -174,6 +175,17 @@ static void *array_map_lookup_elem(struct bpf_map *map, void *key)
 	return array->value + (u64)array->elem_size * (index & array->index_mask);
 }
 
+static int array_map_get_hash(struct bpf_map *map, u32 hash_buf_size,
+			       void *hash_buf)
+{
+	struct bpf_array *array = container_of(map, struct bpf_array, map);
+
+	sha256(array->value, (u64)array->elem_size * array->map.max_entries,
+	       hash_buf);
+	memcpy(array->map.sha, hash_buf, sizeof(array->map.sha));
+	return 0;
+}
+
 static int array_map_direct_value_addr(const struct bpf_map *map, u64 *imm,
 				       u32 off)
 {
@@ -800,6 +812,7 @@ const struct bpf_map_ops array_map_ops = {
 	.map_mem_usage = array_map_mem_usage,
 	.map_btf_id = &array_map_btf_ids[0],
 	.iter_seq_info = &iter_seq_info,
+	.map_get_hash = &array_map_get_hash,
 };
 
 const struct bpf_map_ops percpu_array_map_ops = {
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 943811165510..3d99c443ab7a 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
  */
+#include <crypto/sha2.h>
 #include <linux/bpf.h>
 #include <linux/bpf-cgroup.h>
 #include <linux/bpf_trace.h>
@@ -5185,6 +5186,9 @@ static int bpf_map_get_info_by_fd(struct file *file,
 	info_len = min_t(u32, sizeof(info), info_len);
 
 	memset(&info, 0, sizeof(info));
+	if (copy_from_user(&info, uinfo, info_len))
+		return -EFAULT;
+
 	info.type = map->map_type;
 	info.id = map->id;
 	info.key_size = map->key_size;
@@ -5209,6 +5213,25 @@ static int bpf_map_get_info_by_fd(struct file *file,
 			return err;
 	}
 
+	if (info.hash) {
+		char __user *uhash = u64_to_user_ptr(info.hash);
+
+		if (!map->ops->map_get_hash)
+			return -EINVAL;
+
+		if (info.hash_size != SHA256_DIGEST_SIZE)
+			return -EINVAL;
+
+		err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha);
+		if (err != 0)
+			return err;
+
+		if (copy_to_user(uhash, map->sha, SHA256_DIGEST_SIZE) != 0)
+			return -EFAULT;
+	} else if (info.hash_size) {
+		return -EINVAL;
+	}
+
 	if (copy_to_user(uinfo, &info, info_len) ||
 	    put_user(info_len, &uattr->info.info_len))
 		return -EFAULT;
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 7873ba7b9468..fd3b895ebebf 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -6668,6 +6668,8 @@ struct bpf_map_info {
 	__u32 btf_value_type_id;
 	__u32 btf_vmlinux_id;
 	__u64 map_extra;
+	__aligned_u64 hash;
+	__u32 hash_size;
 } __attribute__((aligned(8)));
 
 struct bpf_btf_info {
diff --git a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
index 11a079145966..e2767d27d8aa 100644
--- a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
+++ b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
@@ -70,10 +70,13 @@ __naked void bpf_map_ptr_write_rejected(void)
 	: __clobber_all);
 }
 
+/* The first element of struct bpf_map is a SHA256 hash of 32 bytes, accessing
+ * into this array is valid. The opts field is now at offset 33.
+ */
 SEC("socket")
 __description("bpf_map_ptr: read non-existent field rejected")
 __failure
-__msg("cannot access ptr member ops with moff 0 in struct bpf_map with off 1 size 4")
+__msg("cannot access ptr member ops with moff 32 in struct bpf_map with off 33 size 4")
 __failure_unpriv
 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
 __flag(BPF_F_ANY_ALIGNMENT)
@@ -82,7 +85,7 @@ __naked void read_non_existent_field_rejected(void)
 	asm volatile ("					\
 	r6 = 0;						\
 	r1 = %[map_array_48b] ll;			\
-	r6 = *(u32*)(r1 + 1);				\
+	r6 = *(u32*)(r1 + 33);				\
 	r0 = 1;						\
 	exit;						\
 "	:
-- 
2.43.0

[PATCH v3 07/12] bpf: Move the signature kfuncs to helpers.c

[KP Singh]

No functional changes, except for the addition of the headers for the
kfuncs so that they can be used for signature verification.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 include/linux/bpf.h      |  32 +++++++
 kernel/bpf/helpers.c     | 166 +++++++++++++++++++++++++++++++++++
 kernel/trace/bpf_trace.c | 183 ---------------------------------------
 3 files changed, 198 insertions(+), 183 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index b12a0645c2a3..809a1c6882f1 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -3412,6 +3412,38 @@ static inline int bpf_fd_reuseport_array_update_elem(struct bpf_map *map,
 #endif /* CONFIG_BPF_SYSCALL */
 #endif /* defined(CONFIG_INET) && defined(CONFIG_BPF_SYSCALL) */
 
+#if defined(CONFIG_KEYS) && defined(CONFIG_BPF_SYSCALL)
+
+struct bpf_key *bpf_lookup_user_key(s32 serial, u64 flags);
+struct bpf_key *bpf_lookup_system_key(u64 id);
+void bpf_key_put(struct bpf_key *bkey);
+int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,
+			       struct bpf_dynptr *sig_p,
+			       struct bpf_key *trusted_keyring);
+
+#else
+static inline struct bpf_key *bpf_lookup_user_key(u32 serial, u64 flags)
+{
+	return NULL;
+}
+
+static inline struct bpf_key *bpf_lookup_system_key(u64 id)
+{
+	return NULL;
+}
+
+static inline void bpf_key_put(struct bpf_key *bkey)
+{
+}
+
+static inline int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,
+					     struct bpf_dynptr *sig_p,
+					     struct bpf_key *trusted_keyring)
+{
+	return -EOPNOTSUPP;
+}
+#endif /* defined(CONFIG_KEYS) && defined(CONFIG_BPF_SYSCALL) */
+
 /* verifier prototypes for helper functions called from eBPF programs */
 extern const struct bpf_func_proto bpf_map_lookup_elem_proto;
 extern const struct bpf_func_proto bpf_map_update_elem_proto;
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 6b4877e85a68..a052bbbcbfc5 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -25,6 +25,7 @@
 #include <linux/kasan.h>
 #include <linux/bpf_verifier.h>
 #include <linux/uaccess.h>
+#include <linux/verification.h>
 
 #include "../../lib/kstrtox.h"
 
@@ -3702,6 +3703,163 @@ __bpf_kfunc int bpf_strstr(const char *s1__ign, const char *s2__ign)
 {
 	return bpf_strnstr(s1__ign, s2__ign, XATTR_SIZE_MAX);
 }
+#ifdef CONFIG_KEYS
+/**
+ * bpf_lookup_user_key - lookup a key by its serial
+ * @serial: key handle serial number
+ * @flags: lookup-specific flags
+ *
+ * Search a key with a given *serial* and the provided *flags*.
+ * If found, increment the reference count of the key by one, and
+ * return it in the bpf_key structure.
+ *
+ * The bpf_key structure must be passed to bpf_key_put() when done
+ * with it, so that the key reference count is decremented and the
+ * bpf_key structure is freed.
+ *
+ * Permission checks are deferred to the time the key is used by
+ * one of the available key-specific kfuncs.
+ *
+ * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a requested
+ * special keyring (e.g. session keyring), if it doesn't yet exist.
+ * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without waiting
+ * for the key construction, and to retrieve uninstantiated keys (keys
+ * without data attached to them).
+ *
+ * Return: a bpf_key pointer with a valid key pointer if the key is found, a
+ *         NULL pointer otherwise.
+ */
+__bpf_kfunc struct bpf_key *bpf_lookup_user_key(s32 serial, u64 flags)
+{
+	key_ref_t key_ref;
+	struct bpf_key *bkey;
+
+	if (flags & ~KEY_LOOKUP_ALL)
+		return NULL;
+
+	/*
+	 * Permission check is deferred until the key is used, as the
+	 * intent of the caller is unknown here.
+	 */
+	key_ref = lookup_user_key(serial, flags, KEY_DEFER_PERM_CHECK);
+	if (IS_ERR(key_ref))
+		return NULL;
+
+	bkey = kmalloc(sizeof(*bkey), GFP_KERNEL);
+	if (!bkey) {
+		key_put(key_ref_to_ptr(key_ref));
+		return NULL;
+	}
+
+	bkey->key = key_ref_to_ptr(key_ref);
+	bkey->has_ref = true;
+
+	return bkey;
+}
+
+/**
+ * bpf_lookup_system_key - lookup a key by a system-defined ID
+ * @id: key ID
+ *
+ * Obtain a bpf_key structure with a key pointer set to the passed key ID.
+ * The key pointer is marked as invalid, to prevent bpf_key_put() from
+ * attempting to decrement the key reference count on that pointer. The key
+ * pointer set in such way is currently understood only by
+ * verify_pkcs7_signature().
+ *
+ * Set *id* to one of the values defined in include/linux/verification.h:
+ * 0 for the primary keyring (immutable keyring of system keys);
+ * VERIFY_USE_SECONDARY_KEYRING for both the primary and secondary keyring
+ * (where keys can be added only if they are vouched for by existing keys
+ * in those keyrings); VERIFY_USE_PLATFORM_KEYRING for the platform
+ * keyring (primarily used by the integrity subsystem to verify a kexec'ed
+ * kerned image and, possibly, the initramfs signature).
+ *
+ * Return: a bpf_key pointer with an invalid key pointer set from the
+ *         pre-determined ID on success, a NULL pointer otherwise
+ */
+__bpf_kfunc struct bpf_key *bpf_lookup_system_key(u64 id)
+{
+	struct bpf_key *bkey;
+
+	if (system_keyring_id_check(id) < 0)
+		return NULL;
+
+	bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC);
+	if (!bkey)
+		return NULL;
+
+	bkey->key = (struct key *)(unsigned long)id;
+	bkey->has_ref = false;
+
+	return bkey;
+}
+
+/**
+ * bpf_key_put - decrement key reference count if key is valid and free bpf_key
+ * @bkey: bpf_key structure
+ *
+ * Decrement the reference count of the key inside *bkey*, if the pointer
+ * is valid, and free *bkey*.
+ */
+__bpf_kfunc void bpf_key_put(struct bpf_key *bkey)
+{
+	if (bkey->has_ref)
+		key_put(bkey->key);
+
+	kfree(bkey);
+}
+
+/**
+ * bpf_verify_pkcs7_signature - verify a PKCS#7 signature
+ * @data_p: data to verify
+ * @sig_p: signature of the data
+ * @trusted_keyring: keyring with keys trusted for signature verification
+ *
+ * Verify the PKCS#7 signature *sig_ptr* against the supplied *data_ptr*
+ * with keys in a keyring referenced by *trusted_keyring*.
+ *
+ * Return: 0 on success, a negative value on error.
+ */
+__bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,
+			       struct bpf_dynptr *sig_p,
+			       struct bpf_key *trusted_keyring)
+{
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+	struct bpf_dynptr_kern *data_ptr = (struct bpf_dynptr_kern *)data_p;
+	struct bpf_dynptr_kern *sig_ptr = (struct bpf_dynptr_kern *)sig_p;
+	const void *data, *sig;
+	u32 data_len, sig_len;
+	int ret;
+
+	if (trusted_keyring->has_ref) {
+		/*
+		 * Do the permission check deferred in bpf_lookup_user_key().
+		 * See bpf_lookup_user_key() for more details.
+		 *
+		 * A call to key_task_permission() here would be redundant, as
+		 * it is already done by keyring_search() called by
+		 * find_asymmetric_key().
+		 */
+		ret = key_validate(trusted_keyring->key);
+		if (ret < 0)
+			return ret;
+	}
+
+	data_len = __bpf_dynptr_size(data_ptr);
+	data = __bpf_dynptr_data(data_ptr, data_len);
+	sig_len = __bpf_dynptr_size(sig_ptr);
+	sig = __bpf_dynptr_data(sig_ptr, sig_len);
+
+	return verify_pkcs7_signature(data, data_len, sig, sig_len,
+				      trusted_keyring->key,
+				      VERIFYING_UNSPECIFIED_SIGNATURE, NULL,
+				      NULL);
+#else
+	return -EOPNOTSUPP;
+#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
+}
+#endif /* CONFIG_KEYS */
 
 __bpf_kfunc_end_defs();
 
@@ -3743,6 +3901,14 @@ BTF_ID_FLAGS(func, bpf_throw)
 #ifdef CONFIG_BPF_EVENTS
 BTF_ID_FLAGS(func, bpf_send_signal_task, KF_TRUSTED_ARGS)
 #endif
+#ifdef CONFIG_KEYS
+BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
+BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL)
+BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE)
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+BTF_ID_FLAGS(func, bpf_verify_pkcs7_signature, KF_SLEEPABLE)
+#endif
+#endif
 BTF_KFUNCS_END(generic_btf_ids)
 
 static const struct btf_kfunc_id_set generic_kfunc_set = {
diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 3ae52978cae6..02c3f610420d 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -22,7 +22,6 @@
 #include <linux/bsearch.h>
 #include <linux/sort.h>
 #include <linux/key.h>
-#include <linux/verification.h>
 #include <linux/namei.h>
 
 #include <net/bpf_sk_storage.h>
@@ -1241,188 +1240,6 @@ static const struct bpf_func_proto bpf_get_func_arg_cnt_proto = {
 	.arg1_type	= ARG_PTR_TO_CTX,
 };
 
-#ifdef CONFIG_KEYS
-__bpf_kfunc_start_defs();
-
-/**
- * bpf_lookup_user_key - lookup a key by its serial
- * @serial: key handle serial number
- * @flags: lookup-specific flags
- *
- * Search a key with a given *serial* and the provided *flags*.
- * If found, increment the reference count of the key by one, and
- * return it in the bpf_key structure.
- *
- * The bpf_key structure must be passed to bpf_key_put() when done
- * with it, so that the key reference count is decremented and the
- * bpf_key structure is freed.
- *
- * Permission checks are deferred to the time the key is used by
- * one of the available key-specific kfuncs.
- *
- * Set *flags* with KEY_LOOKUP_CREATE, to attempt creating a requested
- * special keyring (e.g. session keyring), if it doesn't yet exist.
- * Set *flags* with KEY_LOOKUP_PARTIAL, to lookup a key without waiting
- * for the key construction, and to retrieve uninstantiated keys (keys
- * without data attached to them).
- *
- * Return: a bpf_key pointer with a valid key pointer if the key is found, a
- *         NULL pointer otherwise.
- */
-__bpf_kfunc struct bpf_key *bpf_lookup_user_key(s32 serial, u64 flags)
-{
-	key_ref_t key_ref;
-	struct bpf_key *bkey;
-
-	if (flags & ~KEY_LOOKUP_ALL)
-		return NULL;
-
-	/*
-	 * Permission check is deferred until the key is used, as the
-	 * intent of the caller is unknown here.
-	 */
-	key_ref = lookup_user_key(serial, flags, KEY_DEFER_PERM_CHECK);
-	if (IS_ERR(key_ref))
-		return NULL;
-
-	bkey = kmalloc(sizeof(*bkey), GFP_KERNEL);
-	if (!bkey) {
-		key_put(key_ref_to_ptr(key_ref));
-		return NULL;
-	}
-
-	bkey->key = key_ref_to_ptr(key_ref);
-	bkey->has_ref = true;
-
-	return bkey;
-}
-
-/**
- * bpf_lookup_system_key - lookup a key by a system-defined ID
- * @id: key ID
- *
- * Obtain a bpf_key structure with a key pointer set to the passed key ID.
- * The key pointer is marked as invalid, to prevent bpf_key_put() from
- * attempting to decrement the key reference count on that pointer. The key
- * pointer set in such way is currently understood only by
- * verify_pkcs7_signature().
- *
- * Set *id* to one of the values defined in include/linux/verification.h:
- * 0 for the primary keyring (immutable keyring of system keys);
- * VERIFY_USE_SECONDARY_KEYRING for both the primary and secondary keyring
- * (where keys can be added only if they are vouched for by existing keys
- * in those keyrings); VERIFY_USE_PLATFORM_KEYRING for the platform
- * keyring (primarily used by the integrity subsystem to verify a kexec'ed
- * kerned image and, possibly, the initramfs signature).
- *
- * Return: a bpf_key pointer with an invalid key pointer set from the
- *         pre-determined ID on success, a NULL pointer otherwise
- */
-__bpf_kfunc struct bpf_key *bpf_lookup_system_key(u64 id)
-{
-	struct bpf_key *bkey;
-
-	if (system_keyring_id_check(id) < 0)
-		return NULL;
-
-	bkey = kmalloc(sizeof(*bkey), GFP_ATOMIC);
-	if (!bkey)
-		return NULL;
-
-	bkey->key = (struct key *)(unsigned long)id;
-	bkey->has_ref = false;
-
-	return bkey;
-}
-
-/**
- * bpf_key_put - decrement key reference count if key is valid and free bpf_key
- * @bkey: bpf_key structure
- *
- * Decrement the reference count of the key inside *bkey*, if the pointer
- * is valid, and free *bkey*.
- */
-__bpf_kfunc void bpf_key_put(struct bpf_key *bkey)
-{
-	if (bkey->has_ref)
-		key_put(bkey->key);
-
-	kfree(bkey);
-}
-
-#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
-/**
- * bpf_verify_pkcs7_signature - verify a PKCS#7 signature
- * @data_p: data to verify
- * @sig_p: signature of the data
- * @trusted_keyring: keyring with keys trusted for signature verification
- *
- * Verify the PKCS#7 signature *sig_ptr* against the supplied *data_ptr*
- * with keys in a keyring referenced by *trusted_keyring*.
- *
- * Return: 0 on success, a negative value on error.
- */
-__bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,
-			       struct bpf_dynptr *sig_p,
-			       struct bpf_key *trusted_keyring)
-{
-	struct bpf_dynptr_kern *data_ptr = (struct bpf_dynptr_kern *)data_p;
-	struct bpf_dynptr_kern *sig_ptr = (struct bpf_dynptr_kern *)sig_p;
-	const void *data, *sig;
-	u32 data_len, sig_len;
-	int ret;
-
-	if (trusted_keyring->has_ref) {
-		/*
-		 * Do the permission check deferred in bpf_lookup_user_key().
-		 * See bpf_lookup_user_key() for more details.
-		 *
-		 * A call to key_task_permission() here would be redundant, as
-		 * it is already done by keyring_search() called by
-		 * find_asymmetric_key().
-		 */
-		ret = key_validate(trusted_keyring->key);
-		if (ret < 0)
-			return ret;
-	}
-
-	data_len = __bpf_dynptr_size(data_ptr);
-	data = __bpf_dynptr_data(data_ptr, data_len);
-	sig_len = __bpf_dynptr_size(sig_ptr);
-	sig = __bpf_dynptr_data(sig_ptr, sig_len);
-
-	return verify_pkcs7_signature(data, data_len, sig, sig_len,
-				      trusted_keyring->key,
-				      VERIFYING_UNSPECIFIED_SIGNATURE, NULL,
-				      NULL);
-}
-#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
-
-__bpf_kfunc_end_defs();
-
-BTF_KFUNCS_START(key_sig_kfunc_set)
-BTF_ID_FLAGS(func, bpf_lookup_user_key, KF_ACQUIRE | KF_RET_NULL | KF_SLEEPABLE)
-BTF_ID_FLAGS(func, bpf_lookup_system_key, KF_ACQUIRE | KF_RET_NULL)
-BTF_ID_FLAGS(func, bpf_key_put, KF_RELEASE)
-#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
-BTF_ID_FLAGS(func, bpf_verify_pkcs7_signature, KF_SLEEPABLE)
-#endif
-BTF_KFUNCS_END(key_sig_kfunc_set)
-
-static const struct btf_kfunc_id_set bpf_key_sig_kfunc_set = {
-	.owner = THIS_MODULE,
-	.set = &key_sig_kfunc_set,
-};
-
-static int __init bpf_key_sig_kfuncs_init(void)
-{
-	return register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING,
-					 &bpf_key_sig_kfunc_set);
-}
-
-late_initcall(bpf_key_sig_kfuncs_init);
-#endif /* CONFIG_KEYS */
-
 static const struct bpf_func_proto *
 bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 {
-- 
2.43.0

[PATCH v3 08/12] bpf: Implement signature verification for BPF programs

[KP Singh]

This patch extends the BPF_PROG_LOAD command by adding three new fields
to `union bpf_attr` in the user-space API:

  - signature: A pointer to the signature blob.
  - signature_size: The size of the signature blob.
  - keyring_id: The serial number of a loaded kernel keyring (e.g.,
    the user or session keyring) containing the trusted public keys.

When a BPF program is loaded with a signature, the kernel:

1.  Retrieves the trusted keyring using the provided `keyring_id`.
2.  Verifies the supplied signature against the BPF program's
    instruction buffer.
3.  If the signature is valid and was generated by a key in the trusted
    keyring, the program load proceeds.
4.  If no signature is provided, the load proceeds as before, allowing
    for backward compatibility. LSMs can chose to restrict unsigned
    programs and implement a security policy.
5.  If signature verification fails for any reason,
    the program is not loaded.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 crypto/asymmetric_keys/pkcs7_verify.c |  1 +
 include/linux/verification.h          |  1 +
 include/uapi/linux/bpf.h              | 10 +++++++
 kernel/bpf/helpers.c                  |  2 +-
 kernel/bpf/syscall.c                  | 42 ++++++++++++++++++++++++++-
 tools/include/uapi/linux/bpf.h        | 10 +++++++
 tools/lib/bpf/bpf.c                   |  2 +-
 7 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index f0d4ff3c20a8..6d6475e3a9bf 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -429,6 +429,7 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
 		/* Authattr presence checked in parser */
 		break;
 	case VERIFYING_UNSPECIFIED_SIGNATURE:
+	case VERIFYING_BPF_SIGNATURE:
 		if (pkcs7->data_type != OID_data) {
 			pr_warn("Invalid unspecified sig (not pkcs7-data)\n");
 			return -EKEYREJECTED;
diff --git a/include/linux/verification.h b/include/linux/verification.h
index 4f3022d081c3..dec7f2beabfd 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -36,6 +36,7 @@ enum key_being_used_for {
 	VERIFYING_KEY_SIGNATURE,
 	VERIFYING_KEY_SELF_SIGNATURE,
 	VERIFYING_UNSPECIFIED_SIGNATURE,
+	VERIFYING_BPF_SIGNATURE,
 	NR__KEY_BEING_USED_FOR
 };
 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index fd3b895ebebf..4d8e64f97473 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1607,6 +1607,16 @@ union bpf_attr {
 		 * continuous.
 		 */
 		__u32		fd_array_cnt;
+		/* Pointer to a buffer containing the signature of the BPF
+		 * program.
+		 */
+		__aligned_u64   signature;
+		/* Size of the signature buffer in bytes. */
+		__u32 		signature_size;
+		/* ID of the kernel keyring to be used for signature
+		 * verification.
+		 */
+		__s32		keyring_id;
 	};
 
 	struct { /* anonymous struct used by BPF_OBJ_* commands */
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index a052bbbcbfc5..e883c91b3633 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -3853,7 +3853,7 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,
 
 	return verify_pkcs7_signature(data, data_len, sig, sig_len,
 				      trusted_keyring->key,
-				      VERIFYING_UNSPECIFIED_SIGNATURE, NULL,
+				      VERIFYING_BPF_SIGNATURE, NULL,
 				      NULL);
 #else
 	return -EOPNOTSUPP;
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 3d99c443ab7a..ba17ad943c27 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -39,6 +39,7 @@
 #include <linux/tracepoint.h>
 #include <linux/overflow.h>
 #include <linux/cookie.h>
+#include <linux/verification.h>
 
 #include <net/netfilter/nf_bpf_link.h>
 #include <net/netkit.h>
@@ -2786,8 +2787,41 @@ static bool is_perfmon_prog_type(enum bpf_prog_type prog_type)
 	}
 }
 
+static int bpf_prog_verify_signature(struct bpf_prog *prog, union bpf_attr *attr,
+				     bool is_kernel)
+{
+	bpfptr_t usig = make_bpfptr(attr->signature, is_kernel);
+	struct bpf_dynptr_kern sig_ptr, insns_ptr;
+	struct bpf_key *key = NULL;
+	void *sig;
+	int err = 0;
+
+	if (system_keyring_id_check(attr->keyring_id) == 0)
+		key = bpf_lookup_system_key(attr->keyring_id);
+	else
+		key = bpf_lookup_user_key(attr->keyring_id, 0);
+
+	sig = kvmemdup_bpfptr(usig, attr->signature_size);
+	if (IS_ERR(sig)) {
+		bpf_key_put(key);
+		return -ENOMEM;
+	}
+
+	bpf_dynptr_init(&sig_ptr, sig, BPF_DYNPTR_TYPE_LOCAL, 0,
+			attr->signature_size);
+	bpf_dynptr_init(&insns_ptr, prog->insnsi, BPF_DYNPTR_TYPE_LOCAL, 0,
+			prog->len * sizeof(struct bpf_insn));
+
+	err = bpf_verify_pkcs7_signature((struct bpf_dynptr *)&insns_ptr,
+					 (struct bpf_dynptr *)&sig_ptr, key);
+
+	bpf_key_put(key);
+	kvfree(sig);
+	return err;
+}
+
 /* last field in 'union bpf_attr' used by this command */
-#define BPF_PROG_LOAD_LAST_FIELD fd_array_cnt
+#define BPF_PROG_LOAD_LAST_FIELD keyring_id
 
 static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
 {
@@ -2951,6 +2985,12 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
 	/* eBPF programs must be GPL compatible to use GPL-ed functions */
 	prog->gpl_compatible = license_is_gpl_compatible(license) ? 1 : 0;
 
+	if (attr->signature) {
+		err = bpf_prog_verify_signature(prog, attr, uattr.is_kernel);
+		if (err)
+			goto free_prog;
+	}
+
 	prog->orig_prog = NULL;
 	prog->jited = 0;
 
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index fd3b895ebebf..4d8e64f97473 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1607,6 +1607,16 @@ union bpf_attr {
 		 * continuous.
 		 */
 		__u32		fd_array_cnt;
+		/* Pointer to a buffer containing the signature of the BPF
+		 * program.
+		 */
+		__aligned_u64   signature;
+		/* Size of the signature buffer in bytes. */
+		__u32 		signature_size;
+		/* ID of the kernel keyring to be used for signature
+		 * verification.
+		 */
+		__s32		keyring_id;
 	};
 
 	struct { /* anonymous struct used by BPF_OBJ_* commands */
diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
index 6a08a1559237..9c7815ddd829 100644
--- a/tools/lib/bpf/bpf.c
+++ b/tools/lib/bpf/bpf.c
@@ -240,7 +240,7 @@ int bpf_prog_load(enum bpf_prog_type prog_type,
 		  const struct bpf_insn *insns, size_t insn_cnt,
 		  struct bpf_prog_load_opts *opts)
 {
-	const size_t attr_sz = offsetofend(union bpf_attr, fd_array_cnt);
+	const size_t attr_sz = offsetofend(union bpf_attr, keyring_id);
 	void *finfo = NULL, *linfo = NULL;
 	const char *func_info, *line_info;
 	__u32 log_size, log_level, attach_prog_fd, attach_btf_obj_fd;
-- 
2.43.0

[PATCH v3 09/12] libbpf: Update light skeleton for signing

[KP Singh]

* The metadata map is created with as an exclusive map (with an
excl_prog_hash) This restricts map access exclusively to the signed
loader program, preventing tampering by other processes.

* The map is then frozen, making it read-only from userspace.

* BPF_OBJ_GET_INFO_BY_ID instructs the kernel to compute the hash of the
  metadata map (H') and store it in bpf_map->sha.

* The loader is then loaded with the signature which is then verified by
  the kernel.

The sekeleton currently uses the session keyring
(KEY_SPEC_SESSION_KEYRING) by default but this can
be overridden by the user of the skeleton.

loading signed programs prebuilt into the kernel are not currently
supported. These can supported by enabling BPF_OBJ_GET_INFO_BY_ID to be
called from the kernel.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 tools/lib/bpf/skel_internal.h | 75 +++++++++++++++++++++++++++++++++--
 1 file changed, 71 insertions(+), 4 deletions(-)

diff --git a/tools/lib/bpf/skel_internal.h b/tools/lib/bpf/skel_internal.h
index 4d5fa079b5d6..0e8330b85735 100644
--- a/tools/lib/bpf/skel_internal.h
+++ b/tools/lib/bpf/skel_internal.h
@@ -13,10 +13,15 @@
 #include <unistd.h>
 #include <sys/syscall.h>
 #include <sys/mman.h>
+#include <linux/keyctl.h>
 #include <stdlib.h>
 #include "bpf.h"
 #endif
 
+#ifndef SHA256_DIGEST_LENGTH
+#define SHA256_DIGEST_LENGTH 32
+#endif
+
 #ifndef __NR_bpf
 # if defined(__mips__) && defined(_ABIO32)
 #  define __NR_bpf 4355
@@ -64,6 +69,11 @@ struct bpf_load_and_run_opts {
 	__u32 data_sz;
 	__u32 insns_sz;
 	const char *errstr;
+	void *signature;
+	__u32 signature_sz;
+	__s32 keyring_id;
+	void * excl_prog_hash;
+	__u32 excl_prog_hash_sz;
 };
 
 long kern_sys_bpf(__u32 cmd, void *attr, __u32 attr_size);
@@ -220,14 +230,19 @@ static inline int skel_map_create(enum bpf_map_type map_type,
 				  const char *map_name,
 				  __u32 key_size,
 				  __u32 value_size,
-				  __u32 max_entries)
+				  __u32 max_entries,
+				  const void *excl_prog_hash,
+				  __u32 excl_prog_hash_sz)
 {
-	const size_t attr_sz = offsetofend(union bpf_attr, map_extra);
+	const size_t attr_sz = offsetofend(union bpf_attr, excl_prog_hash);
 	union bpf_attr attr;
 
 	memset(&attr, 0, attr_sz);
 
 	attr.map_type = map_type;
+	attr.excl_prog_hash = (unsigned long) excl_prog_hash;
+	attr.excl_prog_hash_size = excl_prog_hash_sz;
+
 	strncpy(attr.map_name, map_name, sizeof(attr.map_name));
 	attr.key_size = key_size;
 	attr.value_size = value_size;
@@ -300,6 +315,34 @@ static inline int skel_link_create(int prog_fd, int target_fd,
 	return skel_sys_bpf(BPF_LINK_CREATE, &attr, attr_sz);
 }
 
+static inline int skel_obj_get_info_by_fd(int fd)
+{
+	const size_t attr_sz = offsetofend(union bpf_attr, info);
+	__u8 sha[SHA256_DIGEST_LENGTH];
+	struct bpf_map_info info = {};
+	__u32 info_len = sizeof(info);
+	union bpf_attr attr;
+
+	info.hash = (long) &sha;
+	info.hash_size = SHA256_DIGEST_LENGTH;
+
+	memset(&attr, 0, attr_sz);
+	attr.info.bpf_fd = fd;
+	attr.info.info = (long) &info;
+	attr.info.info_len = info_len;
+	return skel_sys_bpf(BPF_OBJ_GET_INFO_BY_FD, &attr, attr_sz);
+}
+
+static inline int skel_map_freeze(int fd)
+{
+	const size_t attr_sz = offsetofend(union bpf_attr, map_fd);
+	union bpf_attr attr;
+
+	memset(&attr, 0, attr_sz);
+	attr.map_fd = fd;
+
+	return skel_sys_bpf(BPF_MAP_FREEZE, &attr, attr_sz);
+}
 #ifdef __KERNEL__
 #define set_err
 #else
@@ -308,12 +351,13 @@ static inline int skel_link_create(int prog_fd, int target_fd,
 
 static inline int bpf_load_and_run(struct bpf_load_and_run_opts *opts)
 {
-	const size_t prog_load_attr_sz = offsetofend(union bpf_attr, fd_array);
+	const size_t prog_load_attr_sz = offsetofend(union bpf_attr, keyring_id);
 	const size_t test_run_attr_sz = offsetofend(union bpf_attr, test);
 	int map_fd = -1, prog_fd = -1, key = 0, err;
 	union bpf_attr attr;
 
-	err = map_fd = skel_map_create(BPF_MAP_TYPE_ARRAY, "__loader.map", 4, opts->data_sz, 1);
+	err = map_fd = skel_map_create(BPF_MAP_TYPE_ARRAY, "__loader.map", 4, opts->data_sz, 1,
+				       opts->excl_prog_hash, opts->excl_prog_hash_sz);
 	if (map_fd < 0) {
 		opts->errstr = "failed to create loader map";
 		set_err;
@@ -327,11 +371,34 @@ static inline int bpf_load_and_run(struct bpf_load_and_run_opts *opts)
 		goto out;
 	}
 
+#ifndef __KERNEL__
+	err = skel_map_freeze(map_fd);
+	if (err < 0) {
+		opts->errstr = "failed to freeze map";
+		set_err;
+		goto out;
+	}
+	err = skel_obj_get_info_by_fd(map_fd);
+	if (err < 0) {
+		opts->errstr = "failed to fetch obj info";
+		set_err;
+		goto out;
+	}
+#endif
+
 	memset(&attr, 0, prog_load_attr_sz);
 	attr.prog_type = BPF_PROG_TYPE_SYSCALL;
 	attr.insns = (long) opts->insns;
 	attr.insn_cnt = opts->insns_sz / sizeof(struct bpf_insn);
 	attr.license = (long) "Dual BSD/GPL";
+#ifndef __KERNEL__
+	attr.signature = (long) opts->signature;
+	attr.signature_size = opts->signature_sz;
+#else
+	if (opts->signature || opts->signature_sz)
+		pr_warn("signatures are not supported from bpf_preload\n");
+#endif
+	attr.keyring_id = opts->keyring_id;
 	memcpy(attr.prog_name, "__loader.prog", sizeof("__loader.prog"));
 	attr.fd_array = (long) &map_fd;
 	attr.log_level = opts->ctx->log_level;
-- 
2.43.0

[PATCH v3 10/12] libbpf: Embed and verify the metadata hash in the loader

[KP Singh]

To fulfill the BPF signing contract, represented as Sig(I_loader ||
H_meta), the generated trusted loader program must verify the integrity
of the metadata. This signature cryptographically binds the loader's
instructions (I_loader) to a hash of the metadata (H_meta).

The verification process is embedded directly into the loader program.
Upon execution, the loader loads the runtime hash from struct bpf_map
i.e. BPF_PSEUDO_MAP_IDX and compares this runtime hash against an
expected hash value that has been hardcoded directly by
bpf_obj__gen_loader.

The load from bpf_map can be improved by calling
BPF_OBJ_GET_INFO_BY_FD from the kernel context after BPF_OBJ_GET_INFO_BY_FD
has been updated for being called from the kernel context.

The following instructions are generated:

    ld_imm64 r1, const_ptr_to_map // insn[0].src_reg == BPF_PSEUDO_MAP_IDX
    r2 = *(u64 *)(r1 + 0);
    ld_imm64 r3, sha256_of_map_part1 // constant precomputed by
bpftool (part of H_meta)
    if r2 != r3 goto out;

    r2 = *(u64 *)(r1 + 8);
    ld_imm64 r3, sha256_of_map_part2 // (part of H_meta)
    if r2 != r3 goto out;

    r2 = *(u64 *)(r1 + 16);
    ld_imm64 r3, sha256_of_map_part3 // (part of H_meta)
    if r2 != r3 goto out;

    r2 = *(u64 *)(r1 + 24);
    ld_imm64 r3, sha256_of_map_part4 // (part of H_meta)
    if r2 != r3 goto out;
    ...

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 tools/lib/bpf/bpf_gen_internal.h |  2 ++
 tools/lib/bpf/gen_loader.c       | 55 ++++++++++++++++++++++++++++++++
 tools/lib/bpf/libbpf.h           |  3 +-
 3 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/tools/lib/bpf/bpf_gen_internal.h b/tools/lib/bpf/bpf_gen_internal.h
index 6ff963a491d9..49af4260b8e6 100644
--- a/tools/lib/bpf/bpf_gen_internal.h
+++ b/tools/lib/bpf/bpf_gen_internal.h
@@ -4,6 +4,7 @@
 #define __BPF_GEN_INTERNAL_H
 
 #include "bpf.h"
+#include "libbpf_internal.h"
 
 struct ksym_relo_desc {
 	const char *name;
@@ -50,6 +51,7 @@ struct bpf_gen {
 	__u32 nr_ksyms;
 	int fd_array;
 	int nr_fd_array;
+	int hash_insn_offset[SHA256_DWORD_SIZE];
 };
 
 void bpf_gen__init(struct bpf_gen *gen, int log_level, int nr_progs, int nr_maps);
diff --git a/tools/lib/bpf/gen_loader.c b/tools/lib/bpf/gen_loader.c
index 113ae4abd345..8eba7c1514ef 100644
--- a/tools/lib/bpf/gen_loader.c
+++ b/tools/lib/bpf/gen_loader.c
@@ -110,6 +110,7 @@ static void emit2(struct bpf_gen *gen, struct bpf_insn insn1, struct bpf_insn in
 
 static int add_data(struct bpf_gen *gen, const void *data, __u32 size);
 static void emit_sys_close_blob(struct bpf_gen *gen, int blob_off);
+static void bpf_gen__signature_match(struct bpf_gen *gen);
 
 void bpf_gen__init(struct bpf_gen *gen, int log_level, int nr_progs, int nr_maps)
 {
@@ -152,6 +153,8 @@ void bpf_gen__init(struct bpf_gen *gen, int log_level, int nr_progs, int nr_maps
 	/* R7 contains the error code from sys_bpf. Copy it into R0 and exit. */
 	emit(gen, BPF_MOV64_REG(BPF_REG_0, BPF_REG_7));
 	emit(gen, BPF_EXIT_INSN());
+	if (OPTS_GET(gen->opts, gen_hash, false))
+		bpf_gen__signature_match(gen);
 }
 
 static int add_data(struct bpf_gen *gen, const void *data, __u32 size)
@@ -368,6 +371,8 @@ static void emit_sys_close_blob(struct bpf_gen *gen, int blob_off)
 	__emit_sys_close(gen);
 }
 
+static int compute_sha_udpate_offsets(struct bpf_gen *gen);
+
 int bpf_gen__finish(struct bpf_gen *gen, int nr_progs, int nr_maps)
 {
 	int i;
@@ -394,6 +399,12 @@ int bpf_gen__finish(struct bpf_gen *gen, int nr_progs, int nr_maps)
 			      blob_fd_array_off(gen, i));
 	emit(gen, BPF_MOV64_IMM(BPF_REG_0, 0));
 	emit(gen, BPF_EXIT_INSN());
+	if (OPTS_GET(gen->opts, gen_hash, false)) {
+		gen->error = compute_sha_udpate_offsets(gen);
+		if (gen->error)
+			return gen->error;
+	}
+
 	pr_debug("gen: finish %s\n", errstr(gen->error));
 	if (!gen->error) {
 		struct gen_loader_opts *opts = gen->opts;
@@ -446,6 +457,27 @@ void bpf_gen__free(struct bpf_gen *gen)
 	_val;							\
 })
 
+static int compute_sha_udpate_offsets(struct bpf_gen *gen)
+{
+	__u64 sha[SHA256_DWORD_SIZE];
+	__u64 sha_dw;
+	int i, err;
+
+	err = libbpf_sha256(gen->data_start, gen->data_cur - gen->data_start, sha, SHA256_DIGEST_LENGTH);
+	if (err < 0) {
+		pr_warn("sha256 computation of the metadata failed");
+		return err;
+	}
+	for (i = 0; i < SHA256_DWORD_SIZE; i++) {
+		struct bpf_insn *insn =
+			(struct bpf_insn *)(gen->insn_start + gen->hash_insn_offset[i]);
+		sha_dw = tgt_endian(sha[i]);
+		insn[0].imm = (__u32)sha_dw;
+		insn[1].imm = sha_dw >> 32;
+	}
+	return 0;
+}
+
 void bpf_gen__load_btf(struct bpf_gen *gen, const void *btf_raw_data,
 		       __u32 btf_raw_size)
 {
@@ -557,6 +589,29 @@ void bpf_gen__map_create(struct bpf_gen *gen,
 		emit_sys_close_stack(gen, stack_off(inner_map_fd));
 }
 
+static void bpf_gen__signature_match(struct bpf_gen *gen)
+{
+	__s64 off;
+	int i;
+
+	for (i = 0; i < SHA256_DWORD_SIZE; i++) {
+		emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_1, BPF_PSEUDO_MAP_IDX,
+						 0, 0, 0, 0));
+		emit(gen, BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, i * sizeof(__u64)));
+		gen->hash_insn_offset[i] = gen->insn_cur - gen->insn_start;
+		emit2(gen, BPF_LD_IMM64_RAW_FULL(BPF_REG_3, 0, 0, 0, 0, 0));
+
+		off =  -(gen->insn_cur - gen->insn_start - gen->cleanup_label) / 8 - 1;
+		if (is_simm16(off)) {
+			emit(gen, BPF_MOV64_IMM(BPF_REG_7, -EINVAL));
+			emit(gen, BPF_JMP_REG(BPF_JNE, BPF_REG_2, BPF_REG_3, off));
+		} else {
+			gen->error = -ERANGE;
+			emit(gen, BPF_JMP_IMM(BPF_JA, 0, 0, -1));
+		}
+	}
+}
+
 void bpf_gen__record_attach_target(struct bpf_gen *gen, const char *attach_name,
 				   enum bpf_attach_type type)
 {
diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h
index ddaf58c8a298..826e0395427d 100644
--- a/tools/lib/bpf/libbpf.h
+++ b/tools/lib/bpf/libbpf.h
@@ -1828,9 +1828,10 @@ struct gen_loader_opts {
 	const char *insns;
 	__u32 data_sz;
 	__u32 insns_sz;
+	bool gen_hash;
 };
 
-#define gen_loader_opts__last_field insns_sz
+#define gen_loader_opts__last_field gen_hash
 LIBBPF_API int bpf_object__gen_loader(struct bpf_object *obj,
 				      struct gen_loader_opts *opts);
 
-- 
2.43.0

[PATCH v3 11/12] bpftool: Add support for signing BPF programs

[KP Singh]

Two modes of operation being added:

Add two modes of operation:

* For prog load, allow signing a program immediately before loading. This
  is essential for command-line testing and administration.

      bpftool prog load -S -k <private_key> -i <identity_cert> fentry_test.bpf.o

* For gen skeleton, embed a pre-generated signature into the C skeleton
  file. This supports the use of signed programs in compiled applications.

      bpftool gen skeleton -S -k <private_key> -i <identity_cert> fentry_test.bpf.o

Generation of the loader program and its metadata map is implemented in
libbpf (bpf_obj__gen_loader). bpftool generates a skeleton that loads
the program and automates the required steps: freezing the map, creating
an exclusive map, loading, and running. Users can use standard libbpf
APIs directly or integrate loader program generation into their own
toolchains.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 .../bpf/bpftool/Documentation/bpftool-gen.rst |  16 +-
 .../bpftool/Documentation/bpftool-prog.rst    |  18 +-
 tools/bpf/bpftool/Makefile                    |   6 +-
 tools/bpf/bpftool/cgroup.c                    |   4 +
 tools/bpf/bpftool/gen.c                       |  60 ++++-
 tools/bpf/bpftool/main.c                      |  26 ++-
 tools/bpf/bpftool/main.h                      |  11 +
 tools/bpf/bpftool/prog.c                      |  27 ++-
 tools/bpf/bpftool/sign.c                      | 212 ++++++++++++++++++
 9 files changed, 367 insertions(+), 13 deletions(-)
 create mode 100644 tools/bpf/bpftool/sign.c

diff --git a/tools/bpf/bpftool/Documentation/bpftool-gen.rst b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
index ca860fd97d8d..cef469d758ed 100644
--- a/tools/bpf/bpftool/Documentation/bpftool-gen.rst
+++ b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
@@ -16,7 +16,8 @@ SYNOPSIS
 
 **bpftool** [*OPTIONS*] **gen** *COMMAND*
 
-*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } }
+*OPTIONS* := { |COMMON_OPTIONS| [ { **-L** | **--use-loader** } ]
+[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }}
 
 *COMMAND* := { **object** | **skeleton** | **help** }
 
@@ -186,6 +187,19 @@ OPTIONS
     skeleton). A light skeleton contains a loader eBPF program. It does not use
     the majority of the libbpf infrastructure, and does not need libelf.
 
+-S, --sign
+    For skeletons, generate a signed skeleton. This option must be used with
+    **-k** and **-i**. Using this flag implicitly enables **--use-loader**.
+    See the "Signed Skeletons" section in the description of the
+    **gen skeleton** command for more details.
+
+-k <private_key.pem>
+    Path to the private key file in PEM format, required for signing.
+
+-i <certificate.x509>
+    Path to the X.509 certificate file in PEM or DER format, required for
+    signing.
+
 EXAMPLES
 ========
 **$ cat example1.bpf.c**
diff --git a/tools/bpf/bpftool/Documentation/bpftool-prog.rst b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
index f69fd92df8d8..55b812761df2 100644
--- a/tools/bpf/bpftool/Documentation/bpftool-prog.rst
+++ b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
@@ -16,9 +16,9 @@ SYNOPSIS
 
 **bpftool** [*OPTIONS*] **prog** *COMMAND*
 
-*OPTIONS* := { |COMMON_OPTIONS| |
-{ **-f** | **--bpffs** } | { **-m** | **--mapcompat** } | { **-n** | **--nomount** } |
-{ **-L** | **--use-loader** } }
+*OPTIONS* := { |COMMON_OPTIONS| [ { **-f** | **--bpffs** } ] [ { **-m** | **--mapcompat** } ]
+[ { **-n** | **--nomount** } ] [ { **-L** | **--use-loader** } ]
+[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }
 
 *COMMANDS* :=
 { **show** | **list** | **dump xlated** | **dump jited** | **pin** | **load** |
@@ -248,6 +248,18 @@ OPTIONS
     creating the maps, and loading the programs (see **bpftool prog tracelog**
     as a way to dump those messages).
 
+-S, --sign
+    Enable signing of the BPF program before loading. This option must be
+    used with **-k** and **-i**. Using this flag implicitly enables
+    **--use-loader**.
+
+-k <private_key.pem>
+    Path to the private key file in PEM format, required when signing.
+
+-i <certificate.x509>
+    Path to the X.509 certificate file in PEM or DER format, required when
+    signing.
+
 EXAMPLES
 ========
 **# bpftool prog show**
diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
index 9e9a5f006cd2..586d1b2595d1 100644
--- a/tools/bpf/bpftool/Makefile
+++ b/tools/bpf/bpftool/Makefile
@@ -130,8 +130,8 @@ include $(FEATURES_DUMP)
 endif
 endif
 
-LIBS = $(LIBBPF) -lelf -lz
-LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
+LIBS = $(LIBBPF) -lelf -lz -lcrypto
+LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
 
 ifeq ($(feature-libelf-zstd),1)
 LIBS += -lzstd
@@ -194,7 +194,7 @@ endif
 
 BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
 
-BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
+BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
 $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
 
 OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
index 944ebe21a216..ec356deb27c9 100644
--- a/tools/bpf/bpftool/cgroup.c
+++ b/tools/bpf/bpftool/cgroup.c
@@ -2,6 +2,10 @@
 // Copyright (C) 2017 Facebook
 // Author: Roman Gushchin <guro@fb.com>
 
+#undef GCC_VERSION
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
 #define _XOPEN_SOURCE 500
 #include <errno.h>
 #include <fcntl.h>
diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
index 67a60114368f..427468c9e9c2 100644
--- a/tools/bpf/bpftool/gen.c
+++ b/tools/bpf/bpftool/gen.c
@@ -688,10 +688,17 @@ static void codegen_destroy(struct bpf_object *obj, const char *obj_name)
 static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *header_guard)
 {
 	DECLARE_LIBBPF_OPTS(gen_loader_opts, opts);
+	struct bpf_load_and_run_opts sopts = {};
+	char sig_buf[MAX_SIG_SIZE];
+	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	struct bpf_map *map;
+
 	char ident[256];
 	int err = 0;
 
+	if (sign_progs)
+		opts.gen_hash = true;
+
 	err = bpf_object__gen_loader(obj, &opts);
 	if (err)
 		return err;
@@ -701,6 +708,7 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 		p_err("failed to load object file");
 		goto out;
 	}
+
 	/* If there was no error during load then gen_loader_opts
 	 * are populated with the loader program.
 	 */
@@ -780,8 +788,51 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
 	print_hex(opts.insns, opts.insns_sz);
 	codegen("\
 		\n\
-		\";							    \n\
-									    \n\
+		\";\n");
+
+	if (sign_progs) {
+		sopts.insns = opts.insns;
+		sopts.insns_sz = opts.insns_sz;
+		sopts.excl_prog_hash = prog_sha;
+		sopts.excl_prog_hash_sz = sizeof(prog_sha);
+		sopts.signature = sig_buf;
+		sopts.signature_sz = MAX_SIG_SIZE;
+		sopts.keyring_id = KEY_SPEC_SESSION_KEYRING;
+
+		err = bpftool_prog_sign(&sopts);
+		if (err < 0)
+			return err;
+
+		codegen("\
+		\n\
+			static const char opts_sig[] __attribute__((__aligned__(8))) = \"\\\n\
+		");
+		print_hex((const void *)sig_buf, sopts.signature_sz);
+		codegen("\
+		\n\
+		\";\n");
+
+		codegen("\
+		\n\
+			static const char opts_excl_hash[] __attribute__((__aligned__(8))) = \"\\\n\
+		");
+		print_hex((const void *)prog_sha, sizeof(prog_sha));
+		codegen("\
+		\n\
+		\";\n");
+
+		codegen("\
+		\n\
+			opts.signature = (void *)opts_sig;			\n\
+			opts.signature_sz = sizeof(opts_sig) - 1;		\n\
+			opts.excl_prog_hash = (void *)opts_excl_hash;		\n\
+			opts.excl_prog_hash_sz = sizeof(opts_excl_hash) - 1;	\n\
+			opts.keyring_id = KEY_SPEC_SESSION_KEYRING;		\n\
+		");
+	}
+
+	codegen("\
+		\n\
 			opts.ctx = (struct bpf_loader_ctx *)skel;	    \n\
 			opts.data_sz = sizeof(opts_data) - 1;		    \n\
 			opts.data = (void *)opts_data;			    \n\
@@ -1240,7 +1291,7 @@ static int do_skeleton(int argc, char **argv)
 		err = -errno;
 		libbpf_strerror(err, err_buf, sizeof(err_buf));
 		p_err("failed to open BPF object file: %s", err_buf);
-		goto out;
+		goto out_obj;
 	}
 
 	bpf_object__for_each_map(map, obj) {
@@ -1552,6 +1603,7 @@ static int do_skeleton(int argc, char **argv)
 	err = 0;
 out:
 	bpf_object__close(obj);
+out_obj:
 	if (obj_data)
 		munmap(obj_data, mmap_sz);
 	close(fd);
@@ -1930,7 +1982,7 @@ static int do_help(int argc, char **argv)
 		"       %1$s %2$s help\n"
 		"\n"
 		"       " HELP_SPEC_OPTIONS " |\n"
-		"                    {-L|--use-loader} }\n"
+		"                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
 		"",
 		bin_name, "gen");
 
diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
index 0f1183b2ed0a..c78eb80b9c94 100644
--- a/tools/bpf/bpftool/main.c
+++ b/tools/bpf/bpftool/main.c
@@ -33,6 +33,9 @@ bool relaxed_maps;
 bool use_loader;
 struct btf *base_btf;
 struct hashmap *refs_table;
+bool sign_progs;
+const char *private_key_path;
+const char *cert_path;
 
 static void __noreturn clean_and_exit(int i)
 {
@@ -448,6 +451,7 @@ int main(int argc, char **argv)
 		{ "nomount",	no_argument,	NULL,	'n' },
 		{ "debug",	no_argument,	NULL,	'd' },
 		{ "use-loader",	no_argument,	NULL,	'L' },
+		{ "sign",	no_argument,	NULL,	'S' },
 		{ "base-btf",	required_argument, NULL, 'B' },
 		{ 0 }
 	};
@@ -474,7 +478,7 @@ int main(int argc, char **argv)
 	bin_name = "bpftool";
 
 	opterr = 0;
-	while ((opt = getopt_long(argc, argv, "VhpjfLmndB:l",
+	while ((opt = getopt_long(argc, argv, "VhpjfLmndSi:k:B:l",
 				  options, NULL)) >= 0) {
 		switch (opt) {
 		case 'V':
@@ -520,6 +524,16 @@ int main(int argc, char **argv)
 		case 'L':
 			use_loader = true;
 			break;
+		case 'S':
+			sign_progs = true;
+			use_loader = true;
+			break;
+		case 'k':
+			private_key_path = optarg;
+			break;
+		case 'i':
+			cert_path = optarg;
+			break;
 		default:
 			p_err("unrecognized option '%s'", argv[optind - 1]);
 			if (json_output)
@@ -534,6 +548,16 @@ int main(int argc, char **argv)
 	if (argc < 0)
 		usage();
 
+	if (sign_progs && (private_key_path == NULL || cert_path == NULL)) {
+		p_err("-i <identity_x509_cert> and -k <private> key must be supplied with -S for signing");
+		return -EINVAL;
+	}
+
+	if (!sign_progs && (private_key_path != NULL || cert_path != NULL)) {
+		p_err("-i <identity_x509_cert> and -k <private> also need --sign to be used for sign programs");
+		return -EINVAL;
+	}
+
 	if (version_requested)
 		ret = do_version(argc, argv);
 	else
diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
index a2bb0714b3d6..f7f5b39b66c8 100644
--- a/tools/bpf/bpftool/main.h
+++ b/tools/bpf/bpftool/main.h
@@ -6,9 +6,14 @@
 
 /* BFD and kernel.h both define GCC_VERSION, differently */
 #undef GCC_VERSION
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
 #include <stdbool.h>
 #include <stdio.h>
+#include <errno.h>
 #include <stdlib.h>
+#include <bpf/skel_internal.h>
 #include <linux/bpf.h>
 #include <linux/compiler.h>
 #include <linux/kernel.h>
@@ -52,6 +57,7 @@ static inline void *u64_to_ptr(__u64 ptr)
 	})
 
 #define ERR_MAX_LEN	1024
+#define MAX_SIG_SIZE	4096
 
 #define BPF_TAG_FMT	"%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
 
@@ -85,6 +91,9 @@ extern bool relaxed_maps;
 extern bool use_loader;
 extern struct btf *base_btf;
 extern struct hashmap *refs_table;
+extern bool sign_progs;
+extern const char *private_key_path;
+extern const char *cert_path;
 
 void __printf(1, 2) p_err(const char *fmt, ...);
 void __printf(1, 2) p_info(const char *fmt, ...);
@@ -275,4 +284,6 @@ int pathname_concat(char *buf, int buf_sz, const char *path,
 /* print netfilter bpf_link info */
 void netfilter_dump_plain(const struct bpf_link_info *info);
 void netfilter_dump_json(const struct bpf_link_info *info, json_writer_t *wtr);
+int bpftool_prog_sign(struct bpf_load_and_run_opts *opts);
+__u32 register_session_key(const char *key_der_path);
 #endif
diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
index 9722d841abc0..82b8da084504 100644
--- a/tools/bpf/bpftool/prog.c
+++ b/tools/bpf/bpftool/prog.c
@@ -23,6 +23,7 @@
 #include <linux/err.h>
 #include <linux/perf_event.h>
 #include <linux/sizes.h>
+#include <linux/keyctl.h>
 
 #include <bpf/bpf.h>
 #include <bpf/btf.h>
@@ -1930,6 +1931,8 @@ static int try_loader(struct gen_loader_opts *gen)
 {
 	struct bpf_load_and_run_opts opts = {};
 	struct bpf_loader_ctx *ctx;
+	char sig_buf[MAX_SIG_SIZE];
+	__u8 prog_sha[SHA256_DIGEST_LENGTH];
 	int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
 					     sizeof(struct bpf_prog_desc));
 	int log_buf_sz = (1u << 24) - 1;
@@ -1953,6 +1956,24 @@ static int try_loader(struct gen_loader_opts *gen)
 	opts.insns = gen->insns;
 	opts.insns_sz = gen->insns_sz;
 	fds_before = count_open_fds();
+
+	if (sign_progs) {
+		opts.excl_prog_hash = prog_sha;
+		opts.excl_prog_hash_sz = sizeof(prog_sha);
+		opts.signature = sig_buf;
+		opts.signature_sz = MAX_SIG_SIZE;
+		opts.keyring_id = KEY_SPEC_SESSION_KEYRING;
+
+		err = bpftool_prog_sign(&opts);
+		if (err < 0)
+			return err;
+
+		err = register_session_key(cert_path);
+		if (err < 0) {
+			p_err("failed to add session key");
+			goto out;
+		}
+	}
 	err = bpf_load_and_run(&opts);
 	fd_delta = count_open_fds() - fds_before;
 	if (err < 0 || verifier_logs) {
@@ -1961,6 +1982,7 @@ static int try_loader(struct gen_loader_opts *gen)
 			fprintf(stderr, "loader prog leaked %d FDs\n",
 				fd_delta);
 	}
+out:
 	free(log_buf);
 	return err;
 }
@@ -1988,6 +2010,9 @@ static int do_loader(int argc, char **argv)
 		goto err_close_obj;
 	}
 
+	if (sign_progs)
+		gen.gen_hash = true;
+
 	err = bpf_object__gen_loader(obj, &gen);
 	if (err)
 		goto err_close_obj;
@@ -2562,7 +2587,7 @@ static int do_help(int argc, char **argv)
 		"       METRIC := { cycles | instructions | l1d_loads | llc_misses | itlb_misses | dtlb_misses }\n"
 		"       " HELP_SPEC_OPTIONS " |\n"
 		"                    {-f|--bpffs} | {-m|--mapcompat} | {-n|--nomount} |\n"
-		"                    {-L|--use-loader} }\n"
+		"                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ] \n"
 		"",
 		bin_name, argv[-2]);
 
diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
new file mode 100644
index 000000000000..b29d825bb1d4
--- /dev/null
+++ b/tools/bpf/bpftool/sign.c
@@ -0,0 +1,212 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/*
+ * Copyright (C) 2025 Google LLC.
+ */
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <string.h>
+#include <getopt.h>
+#include <err.h>
+#include <openssl/opensslv.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+#include <openssl/cms.h>
+#include <linux/keyctl.h>
+#include <errno.h>
+
+#include <bpf/skel_internal.h>
+
+#include "main.h"
+
+#define OPEN_SSL_ERR_BUF_LEN 256
+
+static void display_openssl_errors(int l)
+{
+	char buf[OPEN_SSL_ERR_BUF_LEN];
+	const char *file;
+	const char *data;
+	unsigned long e;
+	int flags;
+	int line;
+
+	while ((e = ERR_get_error_all(&file, &line, NULL, &data, &flags))) {
+		ERR_error_string_n(e, buf, sizeof(buf));
+		if (data && (flags & ERR_TXT_STRING)) {
+			p_err("OpenSSL %s: %s:%d: %s", buf, file, line, data);
+		} else {
+			p_err("OpenSSL %s: %s:%d", buf, file, line);
+		}
+	}
+}
+
+#define DISPLAY_OSSL_ERR(cond)				 \
+	do {						 \
+		bool __cond = (cond);			 \
+		if (__cond && ERR_peek_error())		 \
+			display_openssl_errors(__LINE__);\
+	} while (0)
+
+static EVP_PKEY *read_private_key(const char *pkey_path)
+{
+	EVP_PKEY *private_key = NULL;
+	BIO *b;
+
+	b = BIO_new_file(pkey_path, "rb");
+	private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
+	BIO_free(b);
+	DISPLAY_OSSL_ERR(!private_key);
+	return private_key;
+}
+
+static X509 *read_x509(const char *x509_name)
+{
+	unsigned char buf[2];
+	X509 *x509 = NULL;
+	BIO *b;
+	int n;
+
+	b = BIO_new_file(x509_name, "rb");
+	if (!b)
+		goto cleanup;
+
+	/* Look at the first two bytes of the file to determine the encoding */
+	n = BIO_read(b, buf, 2);
+	if (n != 2)
+		goto cleanup;
+
+	if (BIO_reset(b) != 0)
+		goto cleanup;
+
+	if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
+		/* Assume raw DER encoded X.509 */
+		x509 = d2i_X509_bio(b, NULL);
+	else
+		/* Assume PEM encoded X.509 */
+		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
+
+cleanup:
+	BIO_free(b);
+	DISPLAY_OSSL_ERR(!x509);
+	return x509;
+}
+
+__u32 register_session_key(const char *key_der_path)
+{
+	unsigned char *der_buf = NULL;
+	X509 *x509 = NULL;
+	int key_id = -1;
+	int der_len;
+
+	if (!key_der_path)
+		return key_id;
+	x509 = read_x509(key_der_path);
+	if (!x509)
+		goto cleanup;
+	der_len = i2d_X509(x509, &der_buf);
+	if (der_len < 0)
+		goto cleanup;
+	key_id = syscall(__NR_add_key, "asymmetric", key_der_path, der_buf,
+			     (size_t)der_len, KEY_SPEC_SESSION_KEYRING);
+cleanup:
+	X509_free(x509);
+	OPENSSL_free(der_buf);
+	DISPLAY_OSSL_ERR(key_id == -1);
+	return key_id;
+}
+
+int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
+{
+	BIO *bd_in = NULL, *bd_out = NULL;
+	EVP_PKEY *private_key = NULL;
+	CMS_ContentInfo *cms = NULL;
+	long actual_sig_len = 0;
+	X509 *x509 = NULL;
+	int err = 0;
+
+	bd_in = BIO_new_mem_buf(opts->insns, opts->insns_sz);
+	if (!bd_in) {
+		err = -ENOMEM;
+		goto cleanup;
+	}
+
+	private_key = read_private_key(private_key_path);
+	if (!private_key) {
+		err = -EINVAL;
+		goto cleanup;
+	}
+
+	x509 = read_x509(cert_path);
+	if (!x509) {
+		err = -EINVAL;
+		goto cleanup;
+	}
+
+	cms = CMS_sign(NULL, NULL, NULL, NULL,
+		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED |
+			       CMS_STREAM);
+	if (!cms) {
+		err = -EINVAL;
+		goto cleanup;
+	}
+
+	if (!CMS_add1_signer(cms, x509, private_key, EVP_sha256(),
+			     CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
+			     CMS_USE_KEYID | CMS_NOATTR)) {
+		err = -EINVAL;
+		goto cleanup;
+	}
+
+	if (CMS_final(cms, bd_in, NULL, CMS_NOCERTS | CMS_BINARY) != 1) {
+		err = -EIO;
+		goto cleanup;
+	}
+
+	EVP_Digest(opts->insns, opts->insns_sz, opts->excl_prog_hash,
+		   &opts->excl_prog_hash_sz, EVP_sha256(), NULL);
+
+		bd_out = BIO_new(BIO_s_mem());
+	if (!bd_out) {
+		err = -ENOMEM;
+		goto cleanup;
+	}
+
+	if (!i2d_CMS_bio_stream(bd_out, cms, NULL, 0)) {
+		err = -EIO;
+		goto cleanup;
+	}
+
+	actual_sig_len = BIO_get_mem_data(bd_out, NULL);
+	if (actual_sig_len <= 0) {
+		err = -EIO;
+		goto cleanup;
+	}
+
+	if ((size_t)actual_sig_len > opts->signature_sz) {
+		err = -ENOSPC;
+		goto cleanup;
+	}
+
+	if (BIO_read(bd_out, opts->signature, actual_sig_len) != actual_sig_len) {
+		err = -EIO;
+		goto cleanup;
+	}
+
+	opts->signature_sz = actual_sig_len;
+cleanup:
+	BIO_free(bd_out);
+	CMS_ContentInfo_free(cms);
+	X509_free(x509);
+	EVP_PKEY_free(private_key);
+	BIO_free(bd_in);
+	DISPLAY_OSSL_ERR(err < 0);
+	return err;
+}
-- 
2.43.0

[PATCH v3 12/12] selftests/bpf: Enable signature verification for some lskel tests

[KP Singh]

The test harness uses the verify_sig_setup.sh to generate the required
key material for program signing.

Generate key material for signing LSKEL some lskel programs and use
xxd to convert the verification certificate into a C header file.

Finally, update the main test runner to load this
certificate into the session keyring via the add_key() syscall before
executing any tests.

Signed-off-by: KP Singh <kpsingh@kernel.org>
---
 tools/testing/selftests/bpf/.gitignore        |  1 +
 tools/testing/selftests/bpf/Makefile          | 35 ++++++++++++++++---
 tools/testing/selftests/bpf/test_progs.c      | 13 +++++++
 .../testing/selftests/bpf/verify_sig_setup.sh | 13 +++++--
 4 files changed, 56 insertions(+), 6 deletions(-)

diff --git a/tools/testing/selftests/bpf/.gitignore b/tools/testing/selftests/bpf/.gitignore
index 3d8378972d26..be1ee7ba7ce0 100644
--- a/tools/testing/selftests/bpf/.gitignore
+++ b/tools/testing/selftests/bpf/.gitignore
@@ -44,3 +44,4 @@ xdp_redirect_multi
 xdp_synproxy
 xdp_hw_metadata
 xdp_features
+verification_cert.h
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 4863106034df..e473e2d780fb 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -496,15 +496,16 @@ LINKED_SKELS := test_static_linked.skel.h linked_funcs.skel.h		\
 		test_subskeleton.skel.h test_subskeleton_lib.skel.h	\
 		test_usdt.skel.h
 
-LSKELS := fentry_test.c fexit_test.c fexit_sleep.c atomics.c 		\
-	trace_printk.c trace_vprintk.c map_ptr_kern.c 			\
+LSKELS := fexit_sleep.c trace_printk.c trace_vprintk.c map_ptr_kern.c 	\
 	core_kern.c core_kern_overflow.c test_ringbuf.c			\
 	test_ringbuf_n.c test_ringbuf_map_key.c test_ringbuf_write.c
 
+LSKELS_SIGNED := fentry_test.c fexit_test.c atomics.c
+
 # Generate both light skeleton and libbpf skeleton for these
 LSKELS_EXTRA := test_ksyms_module.c test_ksyms_weak.c kfunc_call_test.c \
 	kfunc_call_test_subprog.c
-SKEL_BLACKLIST += $$(LSKELS)
+SKEL_BLACKLIST += $$(LSKELS) $$(LSKELS_SIGNED)
 
 test_static_linked.skel.h-deps := test_static_linked1.bpf.o test_static_linked2.bpf.o
 linked_funcs.skel.h-deps := linked_funcs1.bpf.o linked_funcs2.bpf.o
@@ -535,6 +536,7 @@ HEADERS_FOR_BPF_OBJS := $(wildcard $(BPFDIR)/*.bpf.h)		\
 # $2 - test runner extra "flavor" (e.g., no_alu32, cpuv4, bpf_gcc, etc)
 define DEFINE_TEST_RUNNER
 
+LSKEL_SIGN := -S -k $(PRIVATE_KEY) -i $(VERIFICATION_CERT)
 TRUNNER_OUTPUT := $(OUTPUT)$(if $2,/)$2
 TRUNNER_BINARY := $1$(if $2,-)$2
 TRUNNER_TEST_OBJS := $$(patsubst %.c,$$(TRUNNER_OUTPUT)/%.test.o,	\
@@ -550,6 +552,7 @@ TRUNNER_BPF_SKELS := $$(patsubst %.c,$$(TRUNNER_OUTPUT)/%.skel.h,	\
 					       $$(TRUNNER_BPF_SRCS)))
 TRUNNER_BPF_LSKELS := $$(patsubst %.c,$$(TRUNNER_OUTPUT)/%.lskel.h, $$(LSKELS) $$(LSKELS_EXTRA))
 TRUNNER_BPF_SKELS_LINKED := $$(addprefix $$(TRUNNER_OUTPUT)/,$(LINKED_SKELS))
+TRUNNER_BPF_LSKELS_SIGNED := $$(patsubst %.c,$$(TRUNNER_OUTPUT)/%.lskel.h, $$(LSKELS_SIGNED))
 TEST_GEN_FILES += $$(TRUNNER_BPF_OBJS)
 
 # Evaluate rules now with extra TRUNNER_XXX variables above already defined
@@ -604,6 +607,15 @@ $(TRUNNER_BPF_LSKELS): %.lskel.h: %.bpf.o $(BPFTOOL) | $(TRUNNER_OUTPUT)
 	$(Q)$$(BPFTOOL) gen skeleton -L $$(<:.o=.llinked3.o) name $$(notdir $$(<:.bpf.o=_lskel)) > $$@
 	$(Q)rm -f $$(<:.o=.llinked1.o) $$(<:.o=.llinked2.o) $$(<:.o=.llinked3.o)
 
+$(TRUNNER_BPF_LSKELS_SIGNED): %.lskel.h: %.bpf.o $(BPFTOOL) | $(TRUNNER_OUTPUT)
+	$$(call msg,GEN-SKEL,$(TRUNNER_BINARY) (signed),$$@)
+	$(Q)$$(BPFTOOL) gen object $$(<:.o=.llinked1.o) $$<
+	$(Q)$$(BPFTOOL) gen object $$(<:.o=.llinked2.o) $$(<:.o=.llinked1.o)
+	$(Q)$$(BPFTOOL) gen object $$(<:.o=.llinked3.o) $$(<:.o=.llinked2.o)
+	$(Q)diff $$(<:.o=.llinked2.o) $$(<:.o=.llinked3.o)
+	$(Q)$$(BPFTOOL) gen skeleton $(LSKEL_SIGN) $$(<:.o=.llinked3.o) name $$(notdir $$(<:.bpf.o=_lskel)) > $$@
+	$(Q)rm -f $$(<:.o=.llinked1.o) $$(<:.o=.llinked2.o) $$(<:.o=.llinked3.o)
+
 $(LINKED_BPF_OBJS): %: $(TRUNNER_OUTPUT)/%
 
 # .SECONDEXPANSION here allows to correctly expand %-deps variables as prerequisites
@@ -653,6 +665,7 @@ $(TRUNNER_TEST_OBJS:.o=.d): $(TRUNNER_OUTPUT)/%.test.d:			\
 			    $(TRUNNER_EXTRA_HDRS)			\
 			    $(TRUNNER_BPF_SKELS)			\
 			    $(TRUNNER_BPF_LSKELS)			\
+			    $(TRUNNER_BPF_LSKELS_SIGNED)		\
 			    $(TRUNNER_BPF_SKELS_LINKED)			\
 			    $$(BPFOBJ) | $(TRUNNER_OUTPUT)
 
@@ -667,6 +680,7 @@ $(foreach N,$(patsubst $(TRUNNER_OUTPUT)/%.o,%,$(TRUNNER_EXTRA_OBJS)),	\
 $(TRUNNER_EXTRA_OBJS): $(TRUNNER_OUTPUT)/%.o:				\
 		       %.c						\
 		       $(TRUNNER_EXTRA_HDRS)				\
+		       $(VERIFY_SIG_HDR)				\
 		       $(TRUNNER_TESTS_HDR)				\
 		       $$(BPFOBJ) | $(TRUNNER_OUTPUT)
 	$$(call msg,EXT-OBJ,$(TRUNNER_BINARY),$$@)
@@ -697,6 +711,18 @@ $(OUTPUT)/$(TRUNNER_BINARY): $(TRUNNER_TEST_OBJS)			\
 
 endef
 
+VERIFY_SIG_SETUP := $(CURDIR)/verify_sig_setup.sh
+VERIFY_SIG_HDR := verification_cert.h
+VERIFICATION_CERT   := $(BUILD_DIR)/signing_key.der
+PRIVATE_KEY := $(BUILD_DIR)/signing_key.pem
+
+$(VERIFICATION_CERT) $(PRIVATE_KEY): $(VERIFY_SIG_SETUP)
+	$(Q)mkdir -p $(BUILD_DIR)
+	$(Q)$(VERIFY_SIG_SETUP) genkey $(BUILD_DIR)
+
+$(VERIFY_SIG_HDR): $(VERIFICATION_CERT)
+	$(Q)xxd -i -n test_progs_verification_cert $< > $@
+
 # Define test_progs test runner.
 TRUNNER_TESTS_DIR := prog_tests
 TRUNNER_BPF_PROGS_DIR := progs
@@ -716,6 +742,7 @@ TRUNNER_EXTRA_SOURCES := test_progs.c		\
 			 disasm.c		\
 			 disasm_helpers.c	\
 			 json_writer.c 		\
+			 $(VERIFY_SIG_HDR)		\
 			 flow_dissector_load.h	\
 			 ip_check_defrag_frags.h
 TRUNNER_EXTRA_FILES := $(OUTPUT)/urandom_read				\
@@ -725,7 +752,7 @@ TRUNNER_EXTRA_FILES := $(OUTPUT)/urandom_read				\
 		       $(OUTPUT)/uprobe_multi				\
 		       $(TEST_KMOD_TARGETS)				\
 		       ima_setup.sh 					\
-		       verify_sig_setup.sh				\
+		       $(VERIFY_SIG_SETUP)				\
 		       $(wildcard progs/btf_dump_test_case_*.c)		\
 		       $(wildcard progs/*.bpf.o)
 TRUNNER_BPF_BUILD_RULE := CLANG_BPF_BUILD_RULE
diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
index 309d9d4a8ace..02a85dda30e6 100644
--- a/tools/testing/selftests/bpf/test_progs.c
+++ b/tools/testing/selftests/bpf/test_progs.c
@@ -14,12 +14,14 @@
 #include <netinet/in.h>
 #include <sys/select.h>
 #include <sys/socket.h>
+#include <linux/keyctl.h>
 #include <sys/un.h>
 #include <bpf/btf.h>
 #include <time.h>
 #include "json_writer.h"
 
 #include "network_helpers.h"
+#include "verification_cert.h"
 
 /* backtrace() and backtrace_symbols_fd() are glibc specific,
  * use header file when glibc is available and provide stub
@@ -1928,6 +1930,13 @@ static void free_test_states(void)
 	}
 }
 
+static __u32 register_session_key(const char *key_data, size_t key_data_size)
+{
+	return syscall(__NR_add_key, "asymmetric", "libbpf_session_key",
+			(const void *)key_data, key_data_size,
+			KEY_SPEC_SESSION_KEYRING);
+}
+
 int main(int argc, char **argv)
 {
 	static const struct argp argp = {
@@ -1961,6 +1970,10 @@ int main(int argc, char **argv)
 	/* Use libbpf 1.0 API mode */
 	libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
 	libbpf_set_print(libbpf_print_fn);
+	err = register_session_key((const char *)test_progs_verification_cert,
+				   test_progs_verification_cert_len);
+	if (err < 0)
+		return err;
 
 	traffic_monitor_set_print(traffic_monitor_print_fn);
 
diff --git a/tools/testing/selftests/bpf/verify_sig_setup.sh b/tools/testing/selftests/bpf/verify_sig_setup.sh
index f2cac42298ba..0834f504f66d 100755
--- a/tools/testing/selftests/bpf/verify_sig_setup.sh
+++ b/tools/testing/selftests/bpf/verify_sig_setup.sh
@@ -32,7 +32,7 @@ usage()
 	exit 1
 }
 
-setup()
+genkey()
 {
 	local tmp_dir="$1"
 
@@ -46,8 +46,15 @@ setup()
 	openssl x509 -in ${tmp_dir}/signing_key.pem -out \
 		${tmp_dir}/signing_key.der -outform der
 
-	key_id=$(cat ${tmp_dir}/signing_key.der | keyctl padd asymmetric ebpf_testing_key @s)
+}
 
+setup()
+{
+	local tmp_dir="$1"
+
+	genkey "${tmp_dir}"
+
+	key_id=$(cat ${tmp_dir}/signing_key.der | keyctl padd asymmetric ebpf_testing_key @s)
 	keyring_id=$(keyctl newring ebpf_testing_keyring @s)
 	keyctl link $key_id $keyring_id
 }
@@ -105,6 +112,8 @@ main()
 
 	if [[ "${action}" == "setup" ]]; then
 		setup "${tmp_dir}"
+	elif [[ "${action}" == "genkey" ]]; then
+		genkey "${tmp_dir}"
 	elif [[ "${action}" == "cleanup" ]]; then
 		cleanup "${tmp_dir}"
 	elif [[ "${action}" == "fsverity-create-sign" ]]; then
-- 
2.43.0

Re: [PATCH v3 08/12] bpf: Implement signature verification for BPF programs

[Paul Moore]

On Wed, Aug 13, 2025 at 4:55 PM KP Singh <kpsingh@kernel.org> wrote:
>
> This patch extends the BPF_PROG_LOAD command by adding three new fields
> to `union bpf_attr` in the user-space API:
>
>   - signature: A pointer to the signature blob.
>   - signature_size: The size of the signature blob.
>   - keyring_id: The serial number of a loaded kernel keyring (e.g.,
>     the user or session keyring) containing the trusted public keys.
>
> When a BPF program is loaded with a signature, the kernel:
>
> 1.  Retrieves the trusted keyring using the provided `keyring_id`.
> 2.  Verifies the supplied signature against the BPF program's
>     instruction buffer.
> 3.  If the signature is valid and was generated by a key in the trusted
>     keyring, the program load proceeds.
> 4.  If no signature is provided, the load proceeds as before, allowing
>     for backward compatibility. LSMs can chose to restrict unsigned
>     programs and implement a security policy.
> 5.  If signature verification fails for any reason,
>     the program is not loaded.
>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  crypto/asymmetric_keys/pkcs7_verify.c |  1 +
>  include/linux/verification.h          |  1 +
>  include/uapi/linux/bpf.h              | 10 +++++++
>  kernel/bpf/helpers.c                  |  2 +-
>  kernel/bpf/syscall.c                  | 42 ++++++++++++++++++++++++++-
>  tools/include/uapi/linux/bpf.h        | 10 +++++++
>  tools/lib/bpf/bpf.c                   |  2 +-
>  7 files changed, 65 insertions(+), 3 deletions(-)

It's nice to see a v3 revision, but it would be good to see some
comments on Blaise's reply to your v2 revision.  From what I can see
it should enable the different use cases and requirements that have
been posted.

https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@microsoft.com

-- 
paul-moore.com

Re: [PATCH v3 08/12] bpf: Implement signature verification for BPF programs

[KP Singh]

On Wed, Aug 13, 2025 at 11:02 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Wed, Aug 13, 2025 at 4:55 PM KP Singh <kpsingh@kernel.org> wrote:
> >
> > This patch extends the BPF_PROG_LOAD command by adding three new fields
> > to `union bpf_attr` in the user-space API:
> >
> >   - signature: A pointer to the signature blob.
> >   - signature_size: The size of the signature blob.
> >   - keyring_id: The serial number of a loaded kernel keyring (e.g.,
> >     the user or session keyring) containing the trusted public keys.
> >
> > When a BPF program is loaded with a signature, the kernel:
> >
> > 1.  Retrieves the trusted keyring using the provided `keyring_id`.
> > 2.  Verifies the supplied signature against the BPF program's
> >     instruction buffer.
> > 3.  If the signature is valid and was generated by a key in the trusted
> >     keyring, the program load proceeds.
> > 4.  If no signature is provided, the load proceeds as before, allowing
> >     for backward compatibility. LSMs can chose to restrict unsigned
> >     programs and implement a security policy.
> > 5.  If signature verification fails for any reason,
> >     the program is not loaded.
> >
> > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > ---
> >  crypto/asymmetric_keys/pkcs7_verify.c |  1 +
> >  include/linux/verification.h          |  1 +
> >  include/uapi/linux/bpf.h              | 10 +++++++
> >  kernel/bpf/helpers.c                  |  2 +-
> >  kernel/bpf/syscall.c                  | 42 ++++++++++++++++++++++++++-
> >  tools/include/uapi/linux/bpf.h        | 10 +++++++
> >  tools/lib/bpf/bpf.c                   |  2 +-
> >  7 files changed, 65 insertions(+), 3 deletions(-)
>
> It's nice to see a v3 revision, but it would be good to see some
> comments on Blaise's reply to your v2 revision.  From what I can see
> it should enable the different use cases and requirements that have
> been posted.

I will defer to Alexei and others here (mostly due to time crunch). It
would however be useful to explain the use-cases in which signed maps
are useful (beyond being a different approach than the current
delegated verification).

>
> https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@microsoft.com


>
> --
> paul-moore.com

Re: [PATCH v3 08/12] bpf: Implement signature verification for BPF programs

[Paul Moore]

On Wed, Aug 13, 2025 at 5:37 PM KP Singh <kpsingh@kernel.org> wrote:
> On Wed, Aug 13, 2025 at 11:02 PM Paul Moore <paul@paul-moore.com> wrote:
> >
> > It's nice to see a v3 revision, but it would be good to see some
> > comments on Blaise's reply to your v2 revision.  From what I can see
> > it should enable the different use cases and requirements that have
> > been posted.
>
> I will defer to Alexei and others here (mostly due to time crunch). It
> would however be useful to explain the use-cases in which signed maps
> are useful (beyond being a different approach than the current
> delegated verification).

The use cases and requirements have been described quite a bit in
previous threads already, with both you and Alexei participating in
those discussions.  If you really can't find the threads on lore let
me know and I'll be happy to send you links to all of the various
threads from the past several months.

However, if I had to point to a single email that I felt best
summarized my requirements, I think it might be this:

<<< QUOTE >>>
The loader (+ implicit loader verification of maps w/original program)
signature verification scheme has been requested by Alexei/KP, and
that's fine, the code is trivial and if the user/admin is satisfied
with that as a solution, great.  However, the loader + map signature
verification scheme has some advantages and helps satisfy some
requirements that are not satisfied by only verifying the loader and
relying on the loader to verify the original program stored in the
maps.  One obvious advantage is that the lskel loader is much simpler
in this case as it doesn't need to worry about verification of the
program maps as that has already been done in bpf_check_signature().
I'm sure there are probably some other obvious reasons, but beyond the
one mentioned above, the other advantages that I'm interested in are a
little less obvious, or at least I haven't seen them brought up yet.
As I mentioned in an earlier thread, it's important to have the LSM
hook that handles authorization of a BPF program load *after* the BPF
program's signature has been verified.  This is not simply because the
LSM implementation might want to enforce and access control on a BPF
program load due to the signature state (signature verified vs no
signature), but also because the LSM might want to measure system
state and/or provide a record of the operation.  If we only verify the
lskel loader, at the point in time that the security_bpf_prog_load()
hook is called, we haven't properly verified both the loader and the
original BPF program stored in the map, that doesn't happen until much
later when the lskel loader executes.  Yes, I understand that may
sound very pedantic and fussy, but there are users who care very much
about those details, and if they see an event in the logs that
indicates that the BPF program signature has been verified as "good",
they need that log event to be fully, 100% true, and not have an
asterix of "only the lskel loader has been verified, the original BPF
program will potentially be verified later without any additional
events being logged to indicate the verification".
<<< /QUOTE >>>

The above was taken from this on-list email:
https://lore.kernel.org/linux-security-module/CAHC9VhQT=ymqssa9ymXtvssHTdVH_64T8Mpb0Mh8oxRD0Guo_Q@mail.gmail.com/

Of course I imagine Blaise might have a few things to add here, but
I'll let him comment on that if he has anything additional to add.

-- 
paul-moore.com

Re: [PATCH v3 11/12] bpftool: Add support for signing BPF programs

[Blaise Boscaccy]

KP Singh <kpsingh@kernel.org> writes:

> Two modes of operation being added:
>
> Add two modes of operation:
>
> * For prog load, allow signing a program immediately before loading. This
>   is essential for command-line testing and administration.
>
>       bpftool prog load -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>
> * For gen skeleton, embed a pre-generated signature into the C skeleton
>   file. This supports the use of signed programs in compiled applications.
>
>       bpftool gen skeleton -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>
> Generation of the loader program and its metadata map is implemented in
> libbpf (bpf_obj__gen_loader). bpftool generates a skeleton that loads
> the program and automates the required steps: freezing the map, creating
> an exclusive map, loading, and running. Users can use standard libbpf
> APIs directly or integrate loader program generation into their own
> toolchains.
>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  .../bpf/bpftool/Documentation/bpftool-gen.rst |  16 +-
>  .../bpftool/Documentation/bpftool-prog.rst    |  18 +-
>  tools/bpf/bpftool/Makefile                    |   6 +-
>  tools/bpf/bpftool/cgroup.c                    |   4 +
>  tools/bpf/bpftool/gen.c                       |  60 ++++-
>  tools/bpf/bpftool/main.c                      |  26 ++-
>  tools/bpf/bpftool/main.h                      |  11 +
>  tools/bpf/bpftool/prog.c                      |  27 ++-
>  tools/bpf/bpftool/sign.c                      | 212 ++++++++++++++++++
>  9 files changed, 367 insertions(+), 13 deletions(-)
>  create mode 100644 tools/bpf/bpftool/sign.c
>
> diff --git a/tools/bpf/bpftool/Documentation/bpftool-gen.rst b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> index ca860fd97d8d..cef469d758ed 100644
> --- a/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> +++ b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> @@ -16,7 +16,8 @@ SYNOPSIS
>  
>  **bpftool** [*OPTIONS*] **gen** *COMMAND*
>  
> -*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } }
> +*OPTIONS* := { |COMMON_OPTIONS| [ { **-L** | **--use-loader** } ]
> +[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }}
>  
>  *COMMAND* := { **object** | **skeleton** | **help** }
>  
> @@ -186,6 +187,19 @@ OPTIONS
>      skeleton). A light skeleton contains a loader eBPF program. It does not use
>      the majority of the libbpf infrastructure, and does not need libelf.
>  
> +-S, --sign
> +    For skeletons, generate a signed skeleton. This option must be used with
> +    **-k** and **-i**. Using this flag implicitly enables **--use-loader**.
> +    See the "Signed Skeletons" section in the description of the
> +    **gen skeleton** command for more details.
> +
> +-k <private_key.pem>
> +    Path to the private key file in PEM format, required for signing.
> +
> +-i <certificate.x509>
> +    Path to the X.509 certificate file in PEM or DER format, required for
> +    signing.
> +
>  EXAMPLES
>  ========
>  **$ cat example1.bpf.c**
> diff --git a/tools/bpf/bpftool/Documentation/bpftool-prog.rst b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
> index f69fd92df8d8..55b812761df2 100644
> --- a/tools/bpf/bpftool/Documentation/bpftool-prog.rst
> +++ b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
> @@ -16,9 +16,9 @@ SYNOPSIS
>  
>  **bpftool** [*OPTIONS*] **prog** *COMMAND*
>  
> -*OPTIONS* := { |COMMON_OPTIONS| |
> -{ **-f** | **--bpffs** } | { **-m** | **--mapcompat** } | { **-n** | **--nomount** } |
> -{ **-L** | **--use-loader** } }
> +*OPTIONS* := { |COMMON_OPTIONS| [ { **-f** | **--bpffs** } ] [ { **-m** | **--mapcompat** } ]
> +[ { **-n** | **--nomount** } ] [ { **-L** | **--use-loader** } ]
> +[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }
>  
>  *COMMANDS* :=
>  { **show** | **list** | **dump xlated** | **dump jited** | **pin** | **load** |
> @@ -248,6 +248,18 @@ OPTIONS
>      creating the maps, and loading the programs (see **bpftool prog tracelog**
>      as a way to dump those messages).
>  
> +-S, --sign
> +    Enable signing of the BPF program before loading. This option must be
> +    used with **-k** and **-i**. Using this flag implicitly enables
> +    **--use-loader**.
> +
> +-k <private_key.pem>
> +    Path to the private key file in PEM format, required when signing.
> +
> +-i <certificate.x509>
> +    Path to the X.509 certificate file in PEM or DER format, required when
> +    signing.
> +
>  EXAMPLES
>  ========
>  **# bpftool prog show**
> diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
> index 9e9a5f006cd2..586d1b2595d1 100644
> --- a/tools/bpf/bpftool/Makefile
> +++ b/tools/bpf/bpftool/Makefile
> @@ -130,8 +130,8 @@ include $(FEATURES_DUMP)
>  endif
>  endif
>  
> -LIBS = $(LIBBPF) -lelf -lz
> -LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
> +LIBS = $(LIBBPF) -lelf -lz -lcrypto
> +LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
>  
>  ifeq ($(feature-libelf-zstd),1)
>  LIBS += -lzstd
> @@ -194,7 +194,7 @@ endif
>  
>  BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
>  
> -BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
> +BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
>  $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
>  
>  OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
> diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> index 944ebe21a216..ec356deb27c9 100644
> --- a/tools/bpf/bpftool/cgroup.c
> +++ b/tools/bpf/bpftool/cgroup.c
> @@ -2,6 +2,10 @@
>  // Copyright (C) 2017 Facebook
>  // Author: Roman Gushchin <guro@fb.com>
>  
> +#undef GCC_VERSION
> +#ifndef _GNU_SOURCE
> +#define _GNU_SOURCE
> +#endif
>  #define _XOPEN_SOURCE 500
>  #include <errno.h>
>  #include <fcntl.h>
> diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
> index 67a60114368f..427468c9e9c2 100644
> --- a/tools/bpf/bpftool/gen.c
> +++ b/tools/bpf/bpftool/gen.c
> @@ -688,10 +688,17 @@ static void codegen_destroy(struct bpf_object *obj, const char *obj_name)
>  static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *header_guard)
>  {
>  	DECLARE_LIBBPF_OPTS(gen_loader_opts, opts);
> +	struct bpf_load_and_run_opts sopts = {};
> +	char sig_buf[MAX_SIG_SIZE];
> +	__u8 prog_sha[SHA256_DIGEST_LENGTH];
>  	struct bpf_map *map;
> +
>  	char ident[256];
>  	int err = 0;
>  
> +	if (sign_progs)
> +		opts.gen_hash = true;
> +
>  	err = bpf_object__gen_loader(obj, &opts);
>  	if (err)
>  		return err;
> @@ -701,6 +708,7 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
>  		p_err("failed to load object file");
>  		goto out;
>  	}
> +
>  	/* If there was no error during load then gen_loader_opts
>  	 * are populated with the loader program.
>  	 */
> @@ -780,8 +788,51 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
>  	print_hex(opts.insns, opts.insns_sz);
>  	codegen("\
>  		\n\
> -		\";							    \n\
> -									    \n\
> +		\";\n");
> +
> +	if (sign_progs) {
> +		sopts.insns = opts.insns;
> +		sopts.insns_sz = opts.insns_sz;
> +		sopts.excl_prog_hash = prog_sha;
> +		sopts.excl_prog_hash_sz = sizeof(prog_sha);
> +		sopts.signature = sig_buf;
> +		sopts.signature_sz = MAX_SIG_SIZE;
> +		sopts.keyring_id = KEY_SPEC_SESSION_KEYRING;
> +

This still has the session keyring hardcoded. 

> +		err = bpftool_prog_sign(&sopts);
> +		if (err < 0)
> +			return err;
> +
> +		codegen("\
> +		\n\
> +			static const char opts_sig[] __attribute__((__aligned__(8))) = \"\\\n\
> +		");
> +		print_hex((const void *)sig_buf, sopts.signature_sz);
> +		codegen("\
> +		\n\
> +		\";\n");
> +
> +		codegen("\
> +		\n\
> +			static const char opts_excl_hash[] __attribute__((__aligned__(8))) = \"\\\n\
> +		");
> +		print_hex((const void *)prog_sha, sizeof(prog_sha));
> +		codegen("\
> +		\n\
> +		\";\n");
> +
> +		codegen("\
> +		\n\
> +			opts.signature = (void *)opts_sig;			\n\
> +			opts.signature_sz = sizeof(opts_sig) - 1;		\n\
> +			opts.excl_prog_hash = (void *)opts_excl_hash;		\n\
> +			opts.excl_prog_hash_sz = sizeof(opts_excl_hash) - 1;	\n\
> +			opts.keyring_id = KEY_SPEC_SESSION_KEYRING;		\n\
> +		");

And here.

> +	}
> +
> +	codegen("\
> +		\n\
>  			opts.ctx = (struct bpf_loader_ctx *)skel;	    \n\
>  			opts.data_sz = sizeof(opts_data) - 1;		    \n\
>  			opts.data = (void *)opts_data;			    \n\
> @@ -1240,7 +1291,7 @@ static int do_skeleton(int argc, char **argv)
>  		err = -errno;
>  		libbpf_strerror(err, err_buf, sizeof(err_buf));
>  		p_err("failed to open BPF object file: %s", err_buf);
> -		goto out;
> +		goto out_obj;
>  	}
>  
>  	bpf_object__for_each_map(map, obj) {
> @@ -1552,6 +1603,7 @@ static int do_skeleton(int argc, char **argv)
>  	err = 0;
>  out:
>  	bpf_object__close(obj);
> +out_obj:
>  	if (obj_data)
>  		munmap(obj_data, mmap_sz);
>  	close(fd);
> @@ -1930,7 +1982,7 @@ static int do_help(int argc, char **argv)
>  		"       %1$s %2$s help\n"
>  		"\n"
>  		"       " HELP_SPEC_OPTIONS " |\n"
> -		"                    {-L|--use-loader} }\n"
> +		"                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
>  		"",
>  		bin_name, "gen");
>  
> diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
> index 0f1183b2ed0a..c78eb80b9c94 100644
> --- a/tools/bpf/bpftool/main.c
> +++ b/tools/bpf/bpftool/main.c
> @@ -33,6 +33,9 @@ bool relaxed_maps;
>  bool use_loader;
>  struct btf *base_btf;
>  struct hashmap *refs_table;
> +bool sign_progs;
> +const char *private_key_path;
> +const char *cert_path;
>  
>  static void __noreturn clean_and_exit(int i)
>  {
> @@ -448,6 +451,7 @@ int main(int argc, char **argv)
>  		{ "nomount",	no_argument,	NULL,	'n' },
>  		{ "debug",	no_argument,	NULL,	'd' },
>  		{ "use-loader",	no_argument,	NULL,	'L' },
> +		{ "sign",	no_argument,	NULL,	'S' },
>  		{ "base-btf",	required_argument, NULL, 'B' },
>  		{ 0 }
>  	};
> @@ -474,7 +478,7 @@ int main(int argc, char **argv)
>  	bin_name = "bpftool";
>  
>  	opterr = 0;
> -	while ((opt = getopt_long(argc, argv, "VhpjfLmndB:l",
> +	while ((opt = getopt_long(argc, argv, "VhpjfLmndSi:k:B:l",
>  				  options, NULL)) >= 0) {
>  		switch (opt) {
>  		case 'V':
> @@ -520,6 +524,16 @@ int main(int argc, char **argv)
>  		case 'L':
>  			use_loader = true;
>  			break;
> +		case 'S':
> +			sign_progs = true;
> +			use_loader = true;
> +			break;
> +		case 'k':
> +			private_key_path = optarg;
> +			break;
> +		case 'i':
> +			cert_path = optarg;
> +			break;
>  		default:
>  			p_err("unrecognized option '%s'", argv[optind - 1]);
>  			if (json_output)
> @@ -534,6 +548,16 @@ int main(int argc, char **argv)
>  	if (argc < 0)
>  		usage();
>  
> +	if (sign_progs && (private_key_path == NULL || cert_path == NULL)) {
> +		p_err("-i <identity_x509_cert> and -k <private> key must be supplied with -S for signing");
> +		return -EINVAL;
> +	}
> +
> +	if (!sign_progs && (private_key_path != NULL || cert_path != NULL)) {
> +		p_err("-i <identity_x509_cert> and -k <private> also need --sign to be used for sign programs");
> +		return -EINVAL;
> +	}
> +
>  	if (version_requested)
>  		ret = do_version(argc, argv);
>  	else
> diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
> index a2bb0714b3d6..f7f5b39b66c8 100644
> --- a/tools/bpf/bpftool/main.h
> +++ b/tools/bpf/bpftool/main.h
> @@ -6,9 +6,14 @@
>  
>  /* BFD and kernel.h both define GCC_VERSION, differently */
>  #undef GCC_VERSION
> +#ifndef _GNU_SOURCE
> +#define _GNU_SOURCE
> +#endif
>  #include <stdbool.h>
>  #include <stdio.h>
> +#include <errno.h>
>  #include <stdlib.h>
> +#include <bpf/skel_internal.h>
>  #include <linux/bpf.h>
>  #include <linux/compiler.h>
>  #include <linux/kernel.h>
> @@ -52,6 +57,7 @@ static inline void *u64_to_ptr(__u64 ptr)
>  	})
>  
>  #define ERR_MAX_LEN	1024
> +#define MAX_SIG_SIZE	4096
>  
>  #define BPF_TAG_FMT	"%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
>  
> @@ -85,6 +91,9 @@ extern bool relaxed_maps;
>  extern bool use_loader;
>  extern struct btf *base_btf;
>  extern struct hashmap *refs_table;
> +extern bool sign_progs;
> +extern const char *private_key_path;
> +extern const char *cert_path;
>  
>  void __printf(1, 2) p_err(const char *fmt, ...);
>  void __printf(1, 2) p_info(const char *fmt, ...);
> @@ -275,4 +284,6 @@ int pathname_concat(char *buf, int buf_sz, const char *path,
>  /* print netfilter bpf_link info */
>  void netfilter_dump_plain(const struct bpf_link_info *info);
>  void netfilter_dump_json(const struct bpf_link_info *info, json_writer_t *wtr);
> +int bpftool_prog_sign(struct bpf_load_and_run_opts *opts);
> +__u32 register_session_key(const char *key_der_path);
>  #endif
> diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
> index 9722d841abc0..82b8da084504 100644
> --- a/tools/bpf/bpftool/prog.c
> +++ b/tools/bpf/bpftool/prog.c
> @@ -23,6 +23,7 @@
>  #include <linux/err.h>
>  #include <linux/perf_event.h>
>  #include <linux/sizes.h>
> +#include <linux/keyctl.h>
>  
>  #include <bpf/bpf.h>
>  #include <bpf/btf.h>
> @@ -1930,6 +1931,8 @@ static int try_loader(struct gen_loader_opts *gen)
>  {
>  	struct bpf_load_and_run_opts opts = {};
>  	struct bpf_loader_ctx *ctx;
> +	char sig_buf[MAX_SIG_SIZE];
> +	__u8 prog_sha[SHA256_DIGEST_LENGTH];
>  	int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
>  					     sizeof(struct bpf_prog_desc));
>  	int log_buf_sz = (1u << 24) - 1;
> @@ -1953,6 +1956,24 @@ static int try_loader(struct gen_loader_opts *gen)
>  	opts.insns = gen->insns;
>  	opts.insns_sz = gen->insns_sz;
>  	fds_before = count_open_fds();
> +
> +	if (sign_progs) {
> +		opts.excl_prog_hash = prog_sha;
> +		opts.excl_prog_hash_sz = sizeof(prog_sha);
> +		opts.signature = sig_buf;
> +		opts.signature_sz = MAX_SIG_SIZE;
> +		opts.keyring_id = KEY_SPEC_SESSION_KEYRING;
> +

And here as well. 

> +		err = bpftool_prog_sign(&opts);
> +		if (err < 0)
> +			return err;
> +
> +		err = register_session_key(cert_path);
> +		if (err < 0) {
> +			p_err("failed to add session key");
> +			goto out;
> +		}
> +	}
>  	err = bpf_load_and_run(&opts);
>  	fd_delta = count_open_fds() - fds_before;
>  	if (err < 0 || verifier_logs) {
> @@ -1961,6 +1982,7 @@ static int try_loader(struct gen_loader_opts *gen)
>  			fprintf(stderr, "loader prog leaked %d FDs\n",
>  				fd_delta);
>  	}
> +out:
>  	free(log_buf);
>  	return err;
>  }
> @@ -1988,6 +2010,9 @@ static int do_loader(int argc, char **argv)
>  		goto err_close_obj;
>  	}
>  
> +	if (sign_progs)
> +		gen.gen_hash = true;
> +
>  	err = bpf_object__gen_loader(obj, &gen);
>  	if (err)
>  		goto err_close_obj;
> @@ -2562,7 +2587,7 @@ static int do_help(int argc, char **argv)
>  		"       METRIC := { cycles | instructions | l1d_loads | llc_misses | itlb_misses | dtlb_misses }\n"
>  		"       " HELP_SPEC_OPTIONS " |\n"
>  		"                    {-f|--bpffs} | {-m|--mapcompat} | {-n|--nomount} |\n"
> -		"                    {-L|--use-loader} }\n"
> +		"                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ] \n"
>  		"",
>  		bin_name, argv[-2]);
>  
> diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
> new file mode 100644
> index 000000000000..b29d825bb1d4
> --- /dev/null
> +++ b/tools/bpf/bpftool/sign.c
> @@ -0,0 +1,212 @@
> +// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> +/*
> + * Copyright (C) 2025 Google LLC.
> + */
> +
> +#ifndef _GNU_SOURCE
> +#define _GNU_SOURCE
> +#endif
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <stdint.h>
> +#include <stdbool.h>
> +#include <string.h>
> +#include <string.h>
> +#include <getopt.h>
> +#include <err.h>
> +#include <openssl/opensslv.h>
> +#include <openssl/bio.h>
> +#include <openssl/evp.h>
> +#include <openssl/pem.h>
> +#include <openssl/err.h>
> +#include <openssl/cms.h>
> +#include <linux/keyctl.h>
> +#include <errno.h>
> +
> +#include <bpf/skel_internal.h>
> +
> +#include "main.h"
> +
> +#define OPEN_SSL_ERR_BUF_LEN 256
> +
> +static void display_openssl_errors(int l)
> +{
> +	char buf[OPEN_SSL_ERR_BUF_LEN];
> +	const char *file;
> +	const char *data;
> +	unsigned long e;
> +	int flags;
> +	int line;
> +
> +	while ((e = ERR_get_error_all(&file, &line, NULL, &data, &flags))) {
> +		ERR_error_string_n(e, buf, sizeof(buf));
> +		if (data && (flags & ERR_TXT_STRING)) {
> +			p_err("OpenSSL %s: %s:%d: %s", buf, file, line, data);
> +		} else {
> +			p_err("OpenSSL %s: %s:%d", buf, file, line);
> +		}
> +	}
> +}
> +
> +#define DISPLAY_OSSL_ERR(cond)				 \
> +	do {						 \
> +		bool __cond = (cond);			 \
> +		if (__cond && ERR_peek_error())		 \
> +			display_openssl_errors(__LINE__);\
> +	} while (0)
> +
> +static EVP_PKEY *read_private_key(const char *pkey_path)
> +{
> +	EVP_PKEY *private_key = NULL;
> +	BIO *b;
> +
> +	b = BIO_new_file(pkey_path, "rb");
> +	private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
> +	BIO_free(b);
> +	DISPLAY_OSSL_ERR(!private_key);
> +	return private_key;
> +}
> +
> +static X509 *read_x509(const char *x509_name)
> +{
> +	unsigned char buf[2];
> +	X509 *x509 = NULL;
> +	BIO *b;
> +	int n;
> +
> +	b = BIO_new_file(x509_name, "rb");
> +	if (!b)
> +		goto cleanup;
> +
> +	/* Look at the first two bytes of the file to determine the encoding */
> +	n = BIO_read(b, buf, 2);
> +	if (n != 2)
> +		goto cleanup;
> +
> +	if (BIO_reset(b) != 0)
> +		goto cleanup;
> +
> +	if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
> +		/* Assume raw DER encoded X.509 */
> +		x509 = d2i_X509_bio(b, NULL);
> +	else
> +		/* Assume PEM encoded X.509 */
> +		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
> +
> +cleanup:
> +	BIO_free(b);
> +	DISPLAY_OSSL_ERR(!x509);
> +	return x509;
> +}
> +
> +__u32 register_session_key(const char *key_der_path)
> +{
> +	unsigned char *der_buf = NULL;
> +	X509 *x509 = NULL;
> +	int key_id = -1;
> +	int der_len;
> +
> +	if (!key_der_path)
> +		return key_id;
> +	x509 = read_x509(key_der_path);
> +	if (!x509)
> +		goto cleanup;
> +	der_len = i2d_X509(x509, &der_buf);
> +	if (der_len < 0)
> +		goto cleanup;
> +	key_id = syscall(__NR_add_key, "asymmetric", key_der_path, der_buf,
> +			     (size_t)der_len, KEY_SPEC_SESSION_KEYRING);
> +cleanup:
> +	X509_free(x509);
> +	OPENSSL_free(der_buf);
> +	DISPLAY_OSSL_ERR(key_id == -1);
> +	return key_id;
> +}
> +
> +int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
> +{
> +	BIO *bd_in = NULL, *bd_out = NULL;
> +	EVP_PKEY *private_key = NULL;
> +	CMS_ContentInfo *cms = NULL;
> +	long actual_sig_len = 0;
> +	X509 *x509 = NULL;
> +	int err = 0;
> +
> +	bd_in = BIO_new_mem_buf(opts->insns, opts->insns_sz);
> +	if (!bd_in) {
> +		err = -ENOMEM;
> +		goto cleanup;
> +	}
> +
> +	private_key = read_private_key(private_key_path);
> +	if (!private_key) {
> +		err = -EINVAL;
> +		goto cleanup;
> +	}
> +
> +	x509 = read_x509(cert_path);
> +	if (!x509) {
> +		err = -EINVAL;
> +		goto cleanup;
> +	}
> +
> +	cms = CMS_sign(NULL, NULL, NULL, NULL,
> +		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED |
> +			       CMS_STREAM);
> +	if (!cms) {
> +		err = -EINVAL;
> +		goto cleanup;
> +	}
> +
> +	if (!CMS_add1_signer(cms, x509, private_key, EVP_sha256(),
> +			     CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
> +			     CMS_USE_KEYID | CMS_NOATTR)) {
> +		err = -EINVAL;
> +		goto cleanup;
> +	}
> +
> +	if (CMS_final(cms, bd_in, NULL, CMS_NOCERTS | CMS_BINARY) != 1) {
> +		err = -EIO;
> +		goto cleanup;
> +	}
> +
> +	EVP_Digest(opts->insns, opts->insns_sz, opts->excl_prog_hash,
> +		   &opts->excl_prog_hash_sz, EVP_sha256(), NULL);
> +
> +		bd_out = BIO_new(BIO_s_mem());
> +	if (!bd_out) {
> +		err = -ENOMEM;
> +		goto cleanup;
> +	}
> +
> +	if (!i2d_CMS_bio_stream(bd_out, cms, NULL, 0)) {
> +		err = -EIO;
> +		goto cleanup;
> +	}
> +
> +	actual_sig_len = BIO_get_mem_data(bd_out, NULL);
> +	if (actual_sig_len <= 0) {
> +		err = -EIO;
> +		goto cleanup;
> +	}
> +
> +	if ((size_t)actual_sig_len > opts->signature_sz) {
> +		err = -ENOSPC;
> +		goto cleanup;
> +	}
> +
> +	if (BIO_read(bd_out, opts->signature, actual_sig_len) != actual_sig_len) {
> +		err = -EIO;
> +		goto cleanup;
> +	}
> +
> +	opts->signature_sz = actual_sig_len;
> +cleanup:
> +	BIO_free(bd_out);
> +	CMS_ContentInfo_free(cms);
> +	X509_free(x509);
> +	EVP_PKEY_free(private_key);
> +	BIO_free(bd_in);
> +	DISPLAY_OSSL_ERR(err < 0);
> +	return err;
> +}
> -- 
> 2.43.0

Re: [PATCH v3 03/12] libbpf: Implement SHA256 internal helper

[Andrii Nakryiko]

On Wed, Aug 13, 2025 at 1:55 PM KP Singh <kpsingh@kernel.org> wrote:
>
> Use AF_ALG sockets to not have libbpf depend on OpenSSL. The helper is
> used for the loader generation code to embed the metadata hash in the
> loader program and also by the bpf_map__make_exclusive API to calculate
> the hash of the program the map is exclusive to.
>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  tools/lib/bpf/libbpf.c          | 59 +++++++++++++++++++++++++++++++++
>  tools/lib/bpf/libbpf_internal.h |  4 +++
>  2 files changed, 63 insertions(+)
>

LGTM, but see note about unnecessary libbpf_err()

Acked-by: Andrii Nakryiko <andrii@kernel.org>

> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 8f5a81b672e1..0bb3d71dcd9f 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -43,6 +43,9 @@
>  #include <sys/vfs.h>
>  #include <sys/utsname.h>
>  #include <sys/resource.h>
> +#include <sys/socket.h>
> +#include <linux/if_alg.h>
> +#include <linux/socket.h>
>  #include <libelf.h>
>  #include <gelf.h>
>  #include <zlib.h>
> @@ -14207,3 +14210,59 @@ void bpf_object__destroy_skeleton(struct bpf_object_skeleton *s)
>         free(s->progs);
>         free(s);
>  }
> +
> +int libbpf_sha256(const void *data, size_t data_sz, void *sha_out, size_t sha_out_sz)
> +{
> +       struct sockaddr_alg sa = {
> +               .salg_family = AF_ALG,
> +               .salg_type   = "hash",
> +               .salg_name   = "sha256"
> +       };
> +       int sock_fd = -1;
> +       int op_fd = -1;
> +       int err = 0;
> +
> +       if (sha_out_sz != SHA256_DIGEST_LENGTH) {
> +               pr_warn("sha_out_sz should be exactly 32 bytes for a SHA256 digest");
> +               return libbpf_err(-EINVAL);

this is an internal function, so there is no need to use libbpf_err()
to return error codes. Here and everywhere below should be just
`return -Exxx;`


> +       }
> +
> +       sock_fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
> +       if (sock_fd < 0) {
> +               err = -errno;
> +               pr_warn("failed to create AF_ALG socket for SHA256: %s\n", errstr(err));
> +               return libbpf_err(err);
> +       }
> +
> +       if (bind(sock_fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
> +               err = -errno;
> +               pr_warn("failed to bind to AF_ALG socket for SHA256: %s\n", errstr(err));
> +               goto out;
> +       }
> +
> +       op_fd = accept(sock_fd, NULL, 0);
> +       if (op_fd < 0) {
> +               err = -errno;
> +               pr_warn("failed to accept from AF_ALG socket for SHA256: %s\n", errstr(err));
> +               goto out;
> +       }
> +
> +       if (write(op_fd, data, data_sz) != data_sz) {
> +               err = -errno;
> +               pr_warn("failed to write data to AF_ALG socket for SHA256: %s\n", errstr(err));
> +               goto out;
> +       }
> +
> +       if (read(op_fd, sha_out, SHA256_DIGEST_LENGTH) != SHA256_DIGEST_LENGTH) {
> +               err = -errno;
> +               pr_warn("failed to read SHA256 from AF_ALG socket: %s\n", errstr(err));
> +               goto out;
> +       }
> +
> +out:
> +       if (op_fd >= 0)
> +               close(op_fd);
> +       if (sock_fd >= 0)
> +               close(sock_fd);
> +       return libbpf_err(err);
> +}
> diff --git a/tools/lib/bpf/libbpf_internal.h b/tools/lib/bpf/libbpf_internal.h
> index 477a3b3389a0..8a055de0d324 100644
> --- a/tools/lib/bpf/libbpf_internal.h
> +++ b/tools/lib/bpf/libbpf_internal.h
> @@ -736,4 +736,8 @@ int elf_resolve_pattern_offsets(const char *binary_path, const char *pattern,
>
>  int probe_fd(int fd);
>
> +#define SHA256_DIGEST_LENGTH 32
> +#define SHA256_DWORD_SIZE SHA256_DIGEST_LENGTH / sizeof(__u64)
> +
> +int libbpf_sha256(const void *data, size_t data_sz, void *sha_out, size_t sha_out_sz);
>  #endif /* __LIBBPF_LIBBPF_INTERNAL_H */
> --
> 2.43.0
>

Re: [PATCH v3 04/12] libbpf: Support exclusive map creation

[Andrii Nakryiko]

On Wed, Aug 13, 2025 at 1:55 PM KP Singh <kpsingh@kernel.org> wrote:
>
> Implement setters and getters that allow map to be registers as

typo: registered

> exclusive to the specified program. The registration should be done
> before the exclusive program is loaded.
>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  tools/lib/bpf/bpf.c      |  4 ++-
>  tools/lib/bpf/bpf.h      |  4 ++-
>  tools/lib/bpf/libbpf.c   | 66 ++++++++++++++++++++++++++++++++++++++++
>  tools/lib/bpf/libbpf.h   | 18 +++++++++++
>  tools/lib/bpf/libbpf.map |  2 ++
>  5 files changed, 92 insertions(+), 2 deletions(-)
>
> diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c
> index ab40dbf9f020..6a08a1559237 100644
> --- a/tools/lib/bpf/bpf.c
> +++ b/tools/lib/bpf/bpf.c
> @@ -172,7 +172,7 @@ int bpf_map_create(enum bpf_map_type map_type,
>                    __u32 max_entries,
>                    const struct bpf_map_create_opts *opts)
>  {
> -       const size_t attr_sz = offsetofend(union bpf_attr, map_token_fd);
> +       const size_t attr_sz = offsetofend(union bpf_attr, excl_prog_hash);
>         union bpf_attr attr;
>         int fd;
>
> @@ -203,6 +203,8 @@ int bpf_map_create(enum bpf_map_type map_type,
>         attr.map_ifindex = OPTS_GET(opts, map_ifindex, 0);
>
>         attr.map_token_fd = OPTS_GET(opts, token_fd, 0);
> +       attr.excl_prog_hash = ptr_to_u64(OPTS_GET(opts, excl_prog_hash, NULL));
> +       attr.excl_prog_hash_size = OPTS_GET(opts, excl_prog_hash_size, 0);
>
>         fd = sys_bpf_fd(BPF_MAP_CREATE, &attr, attr_sz);
>         return libbpf_err_errno(fd);
> diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
> index 7252150e7ad3..675a09bb7d2f 100644
> --- a/tools/lib/bpf/bpf.h
> +++ b/tools/lib/bpf/bpf.h
> @@ -54,9 +54,11 @@ struct bpf_map_create_opts {
>         __s32 value_type_btf_obj_fd;
>
>         __u32 token_fd;
> +       __u32 excl_prog_hash_size;

leaving a gap here, can you please reorder and have hash first,
followed by size?

> +       const void *excl_prog_hash;
>         size_t :0;
>  };
> -#define bpf_map_create_opts__last_field token_fd
> +#define bpf_map_create_opts__last_field excl_prog_hash
>
>  LIBBPF_API int bpf_map_create(enum bpf_map_type map_type,
>                               const char *map_name,
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 0bb3d71dcd9f..ed3294f69271 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -499,6 +499,7 @@ struct bpf_program {
>         __u32 line_info_rec_size;
>         __u32 line_info_cnt;
>         __u32 prog_flags;
> +       __u8  hash[SHA256_DIGEST_LENGTH];
>  };
>
>  struct bpf_struct_ops {
> @@ -578,6 +579,7 @@ struct bpf_map {
>         bool autocreate;
>         bool autoattach;
>         __u64 map_extra;
> +       struct bpf_program *excl_prog;
>  };
>
>  enum extern_type {
> @@ -4488,6 +4490,43 @@ bpf_object__section_to_libbpf_map_type(const struct bpf_object *obj, int shndx)
>         }
>  }
>
> +static int bpf_program__compute_hash(struct bpf_program *prog)

nit: this is not an API, so please don't use double underscores.
Something like bpf_prog_compute_hash() should do.

> +{
> +       struct bpf_insn *purged;
> +       int i, err;
> +
> +       purged = calloc(1, BPF_INSN_SZ * prog->insns_cnt);

we had some patch fixing similar argument misuse issue, so I'd rather
have calloc(prog->insns_cnt, BPF_INSN_SZ), if you don't mind

> +       if (!purged)
> +               return -ENOMEM;
> +
> +       /* If relocations have been done, the map_fd needs to be
> +        * discarded for the digest calculation.
> +        */
> +       for (i = 0; i < prog->insns_cnt; i++) {
> +               purged[i] = prog->insns[i];
> +               if (purged[i].code == (BPF_LD | BPF_IMM | BPF_DW) &&
> +                   (purged[i].src_reg == BPF_PSEUDO_MAP_FD ||
> +                    purged[i].src_reg == BPF_PSEUDO_MAP_VALUE)) {
> +                       purged[i].imm = 0;
> +                       i++;
> +                       if (i >= prog->insns_cnt ||
> +                           prog->insns[i].code != 0 ||
> +                           prog->insns[i].dst_reg != 0 ||
> +                           prog->insns[i].src_reg != 0 ||
> +                           prog->insns[i].off != 0) {
> +                               err = -EINVAL;
> +                               goto out;
> +                       }
> +                       purged[i] = prog->insns[i];
> +                       purged[i].imm = 0;
> +               }
> +       }
> +       err = libbpf_sha256(purged, prog->insns_cnt * sizeof(struct bpf_insn), prog->hash, SHA256_DIGEST_LENGTH);

too long, wrap before prog->hash?

> +out:
> +       free(purged);
> +       return err;
> +}
> +
>  static int bpf_program__record_reloc(struct bpf_program *prog,
>                                      struct reloc_desc *reloc_desc,
>                                      __u32 insn_idx, const char *sym_name,
> @@ -5227,6 +5266,18 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b
>         create_attr.token_fd = obj->token_fd;
>         if (obj->token_fd)
>                 create_attr.map_flags |= BPF_F_TOKEN_FD;
> +       if (map->excl_prog) {
> +               if (map->excl_prog->obj->state == OBJ_LOADED) {
> +                       pr_warn("exclusive program already loaded\n");
> +                       return libbpf_err(-EINVAL);
> +               }

unnecessary check, maps are always created before programs, so if
map->excl_prog belongs to the same bpf_object (and it should), then we
implicitly have a guarantee it's not yet created. So please drop.

> +               err = bpf_program__compute_hash(map->excl_prog);
> +               if (err)
> +                       return err;
> +
> +               create_attr.excl_prog_hash = map->excl_prog->hash;
> +               create_attr.excl_prog_hash_size = SHA256_DIGEST_LENGTH;
> +       }
>
>         if (bpf_map__is_struct_ops(map)) {
>                 create_attr.btf_vmlinux_value_type_id = map->btf_vmlinux_value_type_id;
> @@ -10517,6 +10568,21 @@ int bpf_map__set_inner_map_fd(struct bpf_map *map, int fd)
>         return 0;
>  }
>
> +int bpf_map__set_exclusive_program(struct bpf_map *map, struct bpf_program *prog)
> +{
> +       if (map_is_created(map)) {
> +               pr_warn("exclusive programs must be set before map creation\n");
> +               return libbpf_err(-EINVAL);
> +       }

should we worry about someone providing a bpf_program that doesn't
belong to the same bpf_object that map belongs to? it's easy to check,
just compare map->obj and prog->obj

> +       map->excl_prog = prog;
> +       return 0;
> +}
> +
> +struct bpf_program *bpf_map__get_exclusive_program(struct bpf_map *map)

libbpf getters don't have "get_" prefix, so just bpf_map__exclusive_program()

> +{
> +       return map->excl_prog;
> +}
> +
>  static struct bpf_map *
>  __bpf_map__iter(const struct bpf_map *m, const struct bpf_object *obj, int i)
>  {
> diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h
> index 455a957cb702..ddaf58c8a298 100644
> --- a/tools/lib/bpf/libbpf.h
> +++ b/tools/lib/bpf/libbpf.h
> @@ -1266,7 +1266,25 @@ LIBBPF_API int bpf_map__lookup_and_delete_elem(const struct bpf_map *map,
>   */
>  LIBBPF_API int bpf_map__get_next_key(const struct bpf_map *map,
>                                      const void *cur_key, void *next_key, size_t key_sz);
> +/**
> + * @brief **bpf_map__set_exclusive_program()** sets map to be exclusive to the
> + * to the specified program. The program must not be loaded yet.

typo: "to the" duplicated

Also, I think the more important restriction is that the map should
not have been created yet (so this has to be called between opening
and prepare/load steps, just like setting read-only global variables).
This by implication will mean that the program is not loaded either,
as we'll restrict bpf_program to be from the same bpf_object (which
you can mention as well for clarity).

> + * @param map BPF map to make exclusive.
> + * @param prog BPF program to be the exclusive user of the map.
> + * @return 0 on success; a negative error code otherwise.
> + *
> + * Once a map is made exclusive, only the specified program can access its
> + * contents.
> + */
> +LIBBPF_API int bpf_map__set_exclusive_program(struct bpf_map *map, struct bpf_program *prog);
>
> +/**
> + * @brief **bpf_map__get_exclusive_program()** returns the exclusive program
> + * that is registered with the map (if any).
> + * @param map BPF map to which the exclusive program is registered.
> + * @return the registered exclusive program.
> + */
> +LIBBPF_API struct bpf_program *bpf_map__get_exclusive_program(struct bpf_map *map);
>  struct bpf_xdp_set_link_opts {
>         size_t sz;
>         int old_fd;
> diff --git a/tools/lib/bpf/libbpf.map b/tools/lib/bpf/libbpf.map
> index d7bd463e7017..a5c5d0f2db5c 100644
> --- a/tools/lib/bpf/libbpf.map
> +++ b/tools/lib/bpf/libbpf.map
> @@ -436,6 +436,8 @@ LIBBPF_1.6.0 {
>                 bpf_linker__add_buf;
>                 bpf_linker__add_fd;
>                 bpf_linker__new_fd;
> +               bpf_map__set_exclusive_program;
> +               bpf_map__get_exclusive_program;

we are in LIBBPF_1.7.0 now, so please move

pw-bot: cr


>                 bpf_object__prepare;
>                 bpf_prog_stream_read;
>                 bpf_program__attach_cgroup_opts;
> --
> 2.43.0
>

Re: [PATCH v3 06/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD

[Andrii Nakryiko]

On Wed, Aug 13, 2025 at 1:55 PM KP Singh <kpsingh@kernel.org> wrote:
>
> Currently only array maps are supported, but the implementation can be
> extended for other maps and objects. The hash is memoized only for
> exclusive and frozen maps as their content is stable until the exclusive
> program modifies the map.
>
> This is required  for BPF signing, enabling a trusted loader program to
> verify a map's integrity. The loader retrieves
> the map's runtime hash from the kernel and compares it against an
> expected hash computed at build time.
>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  include/linux/bpf.h                           |  3 +++
>  include/uapi/linux/bpf.h                      |  2 ++
>  kernel/bpf/arraymap.c                         | 13 +++++++++++
>  kernel/bpf/syscall.c                          | 23 +++++++++++++++++++
>  tools/include/uapi/linux/bpf.h                |  2 ++
>  .../selftests/bpf/progs/verifier_map_ptr.c    |  7 ++++--
>  6 files changed, 48 insertions(+), 2 deletions(-)
>

[...]

>  struct bpf_btf_info {
> diff --git a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> index 11a079145966..e2767d27d8aa 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> @@ -70,10 +70,13 @@ __naked void bpf_map_ptr_write_rejected(void)
>         : __clobber_all);
>  }
>
> +/* The first element of struct bpf_map is a SHA256 hash of 32 bytes, accessing
> + * into this array is valid. The opts field is now at offset 33.
> + */

Does hash have to be at the beginning of struct bpf_map? why not just
put it at the end and not have to adjust any tests?.. (which now will
fail on older kernel for no good reason, unless I miss something)


>  SEC("socket")
>  __description("bpf_map_ptr: read non-existent field rejected")
>  __failure
> -__msg("cannot access ptr member ops with moff 0 in struct bpf_map with off 1 size 4")
> +__msg("cannot access ptr member ops with moff 32 in struct bpf_map with off 33 size 4")
>  __failure_unpriv
>  __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
>  __flag(BPF_F_ANY_ALIGNMENT)
> @@ -82,7 +85,7 @@ __naked void read_non_existent_field_rejected(void)
>         asm volatile ("                                 \
>         r6 = 0;                                         \
>         r1 = %[map_array_48b] ll;                       \
> -       r6 = *(u32*)(r1 + 1);                           \
> +       r6 = *(u32*)(r1 + 33);                          \
>         r0 = 1;                                         \
>         exit;                                           \
>  "      :
> --
> 2.43.0
>

Re: [PATCH v3 09/12] libbpf: Update light skeleton for signing

[Andrii Nakryiko]

On Wed, Aug 13, 2025 at 1:55 PM KP Singh <kpsingh@kernel.org> wrote:
>
> * The metadata map is created with as an exclusive map (with an
> excl_prog_hash) This restricts map access exclusively to the signed
> loader program, preventing tampering by other processes.
>
> * The map is then frozen, making it read-only from userspace.
>
> * BPF_OBJ_GET_INFO_BY_ID instructs the kernel to compute the hash of the
>   metadata map (H') and store it in bpf_map->sha.
>
> * The loader is then loaded with the signature which is then verified by
>   the kernel.
>
> The sekeleton currently uses the session keyring
> (KEY_SPEC_SESSION_KEYRING) by default but this can
> be overridden by the user of the skeleton.
>
> loading signed programs prebuilt into the kernel are not currently
> supported. These can supported by enabling BPF_OBJ_GET_INFO_BY_ID to be
> called from the kernel.
>
> Signed-off-by: KP Singh <kpsingh@kernel.org>
> ---
>  tools/lib/bpf/skel_internal.h | 75 +++++++++++++++++++++++++++++++++--
>  1 file changed, 71 insertions(+), 4 deletions(-)
>

[...]

> +static inline int skel_obj_get_info_by_fd(int fd)
> +{
> +       const size_t attr_sz = offsetofend(union bpf_attr, info);
> +       __u8 sha[SHA256_DIGEST_LENGTH];
> +       struct bpf_map_info info = {};

memset(0) this instead of relying on = {}

> +       __u32 info_len = sizeof(info);
> +       union bpf_attr attr;
> +
> +       info.hash = (long) &sha;
> +       info.hash_size = SHA256_DIGEST_LENGTH;
> +
> +       memset(&attr, 0, attr_sz);
> +       attr.info.bpf_fd = fd;
> +       attr.info.info = (long) &info;
> +       attr.info.info_len = info_len;
> +       return skel_sys_bpf(BPF_OBJ_GET_INFO_BY_FD, &attr, attr_sz);
> +}

[...]

[syzbot ci] Re: Signed BPF programs

[syzbot ci]

syzbot ci has tested the following series

[v3] Signed BPF programs
https://lore.kernel.org/all/20250813205526.2992911-1-kpsingh@kernel.org
* [PATCH v3 01/12] bpf: Update the bpf_prog_calc_tag to use SHA256
* [PATCH v3 02/12] bpf: Implement exclusive map creation
* [PATCH v3 03/12] libbpf: Implement SHA256 internal helper
* [PATCH v3 04/12] libbpf: Support exclusive map creation
* [PATCH v3 05/12] selftests/bpf: Add tests for exclusive maps
* [PATCH v3 06/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD
* [PATCH v3 07/12] bpf: Move the signature kfuncs to helpers.c
* [PATCH v3 08/12] bpf: Implement signature verification for BPF programs
* [PATCH v3 09/12] libbpf: Update light skeleton for signing
* [PATCH v3 10/12] libbpf: Embed and verify the metadata hash in the loader
* [PATCH v3 11/12] bpftool: Add support for signing BPF programs
* [PATCH v3 12/12] selftests/bpf: Enable signature verification for some lskel tests

and found the following issue:
general protection fault in bpf_verify_pkcs7_signature

Full report is available here:
https://ci.syzbot.org/series/67d9a289-da5c-4051-8c3c-cc32b6ccd77d

***

general protection fault in bpf_verify_pkcs7_signature

tree:      bpf-next
URL:       https://kernel.googlesource.com/pub/scm/linux/kernel/git/bpf/bpf-next.git
base:      07866544e410e4c895a729971e4164861b41fad5
arch:      amd64
compiler:  Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
config:    https://ci.syzbot.org/builds/1e87aafb-11dc-48f1-a980-c91551ba52de/config
C repro:   https://ci.syzbot.org/findings/0c329233-09a8-4e8b-9e6e-72f234dd85ab/c_repro
syz repro: https://ci.syzbot.org/findings/0c329233-09a8-4e8b-9e6e-72f234dd85ab/syz_repro

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 1 UID: 0 PID: 6001 Comm: syz.0.17 Not tainted 6.17.0-rc1-syzkaller-00022-g07866544e410-dirty #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:bpf_verify_pkcs7_signature+0x31/0x190 kernel/bpf/helpers.c:3835
Code: 41 56 41 55 41 54 53 48 89 d3 49 89 f6 49 89 ff 48 bd 00 00 00 00 00 fc ff df e8 aa b0 e0 ff 4c 8d 63 08 4c 89 e0 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 01 01 00 00 41 80 3c 24 00 74 3d 48 89 d8
RSP: 0018:ffffc90002f7fa08 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888020c51cc0
RDX: 0000000000000000 RSI: ffffc90002f7faa0 RDI: ffffc90002f7fac0
RBP: dffffc0000000000 R08: 0000000000000018 R09: ffffffff820b8a70
R10: ffffc90002f7fac0 R11: fffff520005eff5a R12: 0000000000000008
R13: 0000000000000010 R14: ffffc90002f7faa0 R15: ffffc90002f7fac0
FS:  00005555895fe500(0000) GS:ffff8881a3c1c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30b63fff CR3: 0000000028898000 CR4: 00000000000006f0
Call Trace:
 <TASK>
 bpf_prog_verify_signature+0x2da/0x3b0 kernel/bpf/syscall.c:2815
 bpf_prog_load+0xcc4/0x19e0 kernel/bpf/syscall.c:2989
 __sys_bpf+0x507/0x860 kernel/bpf/syscall.c:6116
 __do_sys_bpf kernel/bpf/syscall.c:6226 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6224 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6224
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0a4558ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff940250b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f0a457b5fa0 RCX: 00007f0a4558ebe9
RDX: 00000000000000a8 RSI: 0000200000000140 RDI: 0000000000000005
RBP: 00007f0a45611e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0a457b5fa0 R14: 00007f0a457b5fa0 R15: 0000000000000003
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:bpf_verify_pkcs7_signature+0x31/0x190 kernel/bpf/helpers.c:3835
Code: 41 56 41 55 41 54 53 48 89 d3 49 89 f6 49 89 ff 48 bd 00 00 00 00 00 fc ff df e8 aa b0 e0 ff 4c 8d 63 08 4c 89 e0 48 c1 e8 03 <0f> b6 04 28 84 c0 0f 85 01 01 00 00 41 80 3c 24 00 74 3d 48 89 d8
RSP: 0018:ffffc90002f7fa08 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff888020c51cc0
RDX: 0000000000000000 RSI: ffffc90002f7faa0 RDI: ffffc90002f7fac0
RBP: dffffc0000000000 R08: 0000000000000018 R09: ffffffff820b8a70
R10: ffffc90002f7fac0 R11: fffff520005eff5a R12: 0000000000000008
R13: 0000000000000010 R14: ffffc90002f7faa0 R15: ffffc90002f7fac0
FS:  00005555895fe500(0000) GS:ffff8881a3c1c000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30b63fff CR3: 0000000028898000 CR4: 00000000000006f0
----------------
Code disassembly (best guess):
   0:	41 56                	push   %r14
   2:	41 55                	push   %r13
   4:	41 54                	push   %r12
   6:	53                   	push   %rbx
   7:	48 89 d3             	mov    %rdx,%rbx
   a:	49 89 f6             	mov    %rsi,%r14
   d:	49 89 ff             	mov    %rdi,%r15
  10:	48 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%rbp
  17:	fc ff df
  1a:	e8 aa b0 e0 ff       	call   0xffe0b0c9
  1f:	4c 8d 63 08          	lea    0x8(%rbx),%r12
  23:	4c 89 e0             	mov    %r12,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	0f b6 04 28          	movzbl (%rax,%rbp,1),%eax <-- trapping instruction
  2e:	84 c0                	test   %al,%al
  30:	0f 85 01 01 00 00    	jne    0x137
  36:	41 80 3c 24 00       	cmpb   $0x0,(%r12)
  3b:	74 3d                	je     0x7a
  3d:	48 89 d8             	mov    %rbx,%rax


***

If these findings have caused you to resend the series or submit a
separate fix, please add the following tag to your commit message:
Tested-by: syzbot@syzkaller.appspotmail.com

---
This report is generated by a bot. It may contain errors.
syzbot ci engineers can be reached at syzkaller@googlegroups.com.

Re: [PATCH v3 11/12] bpftool: Add support for signing BPF programs

[KP Singh]

On Thu, Aug 14, 2025 at 6:51 PM Blaise Boscaccy
<bboscaccy@linux.microsoft.com> wrote:
>
> KP Singh <kpsingh@kernel.org> writes:
>
> > Two modes of operation being added:
> >
> > Add two modes of operation:
> >
> > * For prog load, allow signing a program immediately before loading. This
> >   is essential for command-line testing and administration.
> >
> >       bpftool prog load -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
> >
> > * For gen skeleton, embed a pre-generated signature into the C skeleton
> >   file. This supports the use of signed programs in compiled applications.
> >
> >       bpftool gen skeleton -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
> >
> > Generation of the loader program and its metadata map is implemented in
> > libbpf (bpf_obj__gen_loader). bpftool generates a skeleton that loads
> > the program and automates the required steps: freezing the map, creating
> > an exclusive map, loading, and running. Users can use standard libbpf
> > APIs directly or integrate loader program generation into their own
> > toolchains.
> >
> > Signed-off-by: KP Singh <kpsingh@kernel.org>
> > ---
> >  .../bpf/bpftool/Documentation/bpftool-gen.rst |  16 +-
> >  .../bpftool/Documentation/bpftool-prog.rst    |  18 +-
> >  tools/bpf/bpftool/Makefile                    |   6 +-
> >  tools/bpf/bpftool/cgroup.c                    |   4 +
> >  tools/bpf/bpftool/gen.c                       |  60 ++++-
> >  tools/bpf/bpftool/main.c                      |  26 ++-
> >  tools/bpf/bpftool/main.h                      |  11 +
> >  tools/bpf/bpftool/prog.c                      |  27 ++-
> >  tools/bpf/bpftool/sign.c                      | 212 ++++++++++++++++++
> >  9 files changed, 367 insertions(+), 13 deletions(-)
> >  create mode 100644 tools/bpf/bpftool/sign.c
> >
> > diff --git a/tools/bpf/bpftool/Documentation/bpftool-gen.rst b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> > index ca860fd97d8d..cef469d758ed 100644
> > --- a/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> > +++ b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
> > @@ -16,7 +16,8 @@ SYNOPSIS
> >
> >  **bpftool** [*OPTIONS*] **gen** *COMMAND*
> >
> > -*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } }
> > +*OPTIONS* := { |COMMON_OPTIONS| [ { **-L** | **--use-loader** } ]
> > +[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }}
> >
> >  *COMMAND* := { **object** | **skeleton** | **help** }
> >
> > @@ -186,6 +187,19 @@ OPTIONS
> >      skeleton). A light skeleton contains a loader eBPF program. It does not use
> >      the majority of the libbpf infrastructure, and does not need libelf.
> >
> > +-S, --sign
> > +    For skeletons, generate a signed skeleton. This option must be used with
> > +    **-k** and **-i**. Using this flag implicitly enables **--use-loader**.
> > +    See the "Signed Skeletons" section in the description of the
> > +    **gen skeleton** command for more details.
> > +
> > +-k <private_key.pem>
> > +    Path to the private key file in PEM format, required for signing.
> > +
> > +-i <certificate.x509>
> > +    Path to the X.509 certificate file in PEM or DER format, required for
> > +    signing.
> > +
> >  EXAMPLES
> >  ========
> >  **$ cat example1.bpf.c**
> > diff --git a/tools/bpf/bpftool/Documentation/bpftool-prog.rst b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
> > index f69fd92df8d8..55b812761df2 100644
> > --- a/tools/bpf/bpftool/Documentation/bpftool-prog.rst
> > +++ b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
> > @@ -16,9 +16,9 @@ SYNOPSIS
> >
> >  **bpftool** [*OPTIONS*] **prog** *COMMAND*
> >
> > -*OPTIONS* := { |COMMON_OPTIONS| |
> > -{ **-f** | **--bpffs** } | { **-m** | **--mapcompat** } | { **-n** | **--nomount** } |
> > -{ **-L** | **--use-loader** } }
> > +*OPTIONS* := { |COMMON_OPTIONS| [ { **-f** | **--bpffs** } ] [ { **-m** | **--mapcompat** } ]
> > +[ { **-n** | **--nomount** } ] [ { **-L** | **--use-loader** } ]
> > +[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }
> >
> >  *COMMANDS* :=
> >  { **show** | **list** | **dump xlated** | **dump jited** | **pin** | **load** |
> > @@ -248,6 +248,18 @@ OPTIONS
> >      creating the maps, and loading the programs (see **bpftool prog tracelog**
> >      as a way to dump those messages).
> >
> > +-S, --sign
> > +    Enable signing of the BPF program before loading. This option must be
> > +    used with **-k** and **-i**. Using this flag implicitly enables
> > +    **--use-loader**.
> > +
> > +-k <private_key.pem>
> > +    Path to the private key file in PEM format, required when signing.
> > +
> > +-i <certificate.x509>
> > +    Path to the X.509 certificate file in PEM or DER format, required when
> > +    signing.
> > +
> >  EXAMPLES
> >  ========
> >  **# bpftool prog show**
> > diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
> > index 9e9a5f006cd2..586d1b2595d1 100644
> > --- a/tools/bpf/bpftool/Makefile
> > +++ b/tools/bpf/bpftool/Makefile
> > @@ -130,8 +130,8 @@ include $(FEATURES_DUMP)
> >  endif
> >  endif
> >
> > -LIBS = $(LIBBPF) -lelf -lz
> > -LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
> > +LIBS = $(LIBBPF) -lelf -lz -lcrypto
> > +LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
> >
> >  ifeq ($(feature-libelf-zstd),1)
> >  LIBS += -lzstd
> > @@ -194,7 +194,7 @@ endif
> >
> >  BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
> >
> > -BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
> > +BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
> >  $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
> >
> >  OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
> > diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
> > index 944ebe21a216..ec356deb27c9 100644
> > --- a/tools/bpf/bpftool/cgroup.c
> > +++ b/tools/bpf/bpftool/cgroup.c
> > @@ -2,6 +2,10 @@
> >  // Copyright (C) 2017 Facebook
> >  // Author: Roman Gushchin <guro@fb.com>
> >
> > +#undef GCC_VERSION
> > +#ifndef _GNU_SOURCE
> > +#define _GNU_SOURCE
> > +#endif
> >  #define _XOPEN_SOURCE 500
> >  #include <errno.h>
> >  #include <fcntl.h>
> > diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
> > index 67a60114368f..427468c9e9c2 100644
> > --- a/tools/bpf/bpftool/gen.c
> > +++ b/tools/bpf/bpftool/gen.c
> > @@ -688,10 +688,17 @@ static void codegen_destroy(struct bpf_object *obj, const char *obj_name)
> >  static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *header_guard)
> >  {
> >       DECLARE_LIBBPF_OPTS(gen_loader_opts, opts);
> > +     struct bpf_load_and_run_opts sopts = {};
> > +     char sig_buf[MAX_SIG_SIZE];
> > +     __u8 prog_sha[SHA256_DIGEST_LENGTH];
> >       struct bpf_map *map;
> > +
> >       char ident[256];
> >       int err = 0;
> >
> > +     if (sign_progs)
> > +             opts.gen_hash = true;
> > +
> >       err = bpf_object__gen_loader(obj, &opts);
> >       if (err)
> >               return err;
> > @@ -701,6 +708,7 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
> >               p_err("failed to load object file");
> >               goto out;
> >       }
> > +
> >       /* If there was no error during load then gen_loader_opts
> >        * are populated with the loader program.
> >        */
> > @@ -780,8 +788,51 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
> >       print_hex(opts.insns, opts.insns_sz);
> >       codegen("\
> >               \n\
> > -             \";                                                         \n\
> > -                                                                         \n\
> > +             \";\n");
> > +
> > +     if (sign_progs) {
> > +             sopts.insns = opts.insns;
> > +             sopts.insns_sz = opts.insns_sz;
> > +             sopts.excl_prog_hash = prog_sha;
> > +             sopts.excl_prog_hash_sz = sizeof(prog_sha);
> > +             sopts.signature = sig_buf;
> > +             sopts.signature_sz = MAX_SIG_SIZE;
> > +             sopts.keyring_id = KEY_SPEC_SESSION_KEYRING;
> > +
>
> This still has the session keyring hardcoded.

We can do this for now:

diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
index 427468c9e9c2..694e61f1909e 100644
--- a/tools/bpf/bpftool/gen.c
+++ b/tools/bpf/bpftool/gen.c
@@ -797,7 +797,6 @@ static int gen_trace(struct bpf_object *obj, const
char *obj_name, const char *h
                sopts.excl_prog_hash_sz = sizeof(prog_sha);
                sopts.signature = sig_buf;
                sopts.signature_sz = MAX_SIG_SIZE;
-               sopts.keyring_id = KEY_SPEC_SESSION_KEYRING;

                err = bpftool_prog_sign(&sopts);
                if (err < 0)
@@ -827,7 +826,7 @@ static int gen_trace(struct bpf_object *obj, const
char *obj_name, const char *h
                        opts.signature_sz = sizeof(opts_sig) - 1;
         \n\
                        opts.excl_prog_hash = (void *)opts_excl_hash;
         \n\
                        opts.excl_prog_hash_sz =
sizeof(opts_excl_hash) - 1;    \n\
-                       opts.keyring_id = KEY_SPEC_SESSION_KEYRING;
         \n\
+                       opts.keyring_id = skel->keyring_id;
         \n\
                ");
        }

@@ -1406,6 +1405,13 @@ static int do_skeleton(int argc, char **argv)
                printf("\t} links;\n");
        }

+       if (sign_progs) {
+               codegen("\
+               \n\
+                       __s32 keyring_id;                                  \n\
+               ");
+       }
+
        if (btf) {
                err = codegen_datasecs(obj, obj_name);
                if (err)
diff --git a/tools/testing/selftests/bpf/prog_tests/atomics.c
b/tools/testing/selftests/bpf/prog_tests/atomics.c
index 13e101f370a1..92b5f378bfb8 100644
--- a/tools/testing/selftests/bpf/prog_tests/atomics.c
+++ b/tools/testing/selftests/bpf/prog_tests/atomics.c
@@ -165,11 +165,17 @@ static void test_xchg(struct atomics_lskel *skel)
 void test_atomics(void)
 {
        struct atomics_lskel *skel;
+       int err;

-       skel = atomics_lskel__open_and_load();
-       if (!ASSERT_OK_PTR(skel, "atomics skeleton load"))
+       skel = atomics_lskel__open();
+       if (!ASSERT_OK_PTR(skel, "atomics skeleton open"))
                return;

+       skel->keyring_id = KEY_SPEC_SESSION_KEYRING;
+       err = atomics_lskel__load(skel);
+       if (!ASSERT_OK(err, "atomics skeleton load"))
+               goto cleanup;
+
        if (skel->data->skip_tests) {
                printf("%s:SKIP:no ENABLE_ATOMICS_TESTS (missing Clang
BPF atomics support)",
                       __func__);
- KP

>
> > +             err = bpftool_prog_sign(&sopts);
> > +             if (err < 0)
> > +                     return err;
> > +
> > +             codegen("\
> > +             \n\
> > +                     static const char opts_sig[] __attribute__((__aligned__(8))) = \"\\\n\
> > +             ");
> > +             print_hex((const void *)sig_buf, sopts.signature_sz);
> > +             codegen("\
> > +             \n\
> > +             \";\n");
> > +
> > +             codegen("\
> > +             \n\
> > +                     static const char opts_excl_hash[] __attribute__((__aligned__(8))) = \"\\\n\
> > +             ");
> > +             print_hex((const void *)prog_sha, sizeof(prog_sha));
> > +             codegen("\
> > +             \n\
> > +             \";\n");
> > +
> > +             codegen("\
> > +             \n\
> > +                     opts.signature = (void *)opts_sig;                      \n\
> > +                     opts.signature_sz = sizeof(opts_sig) - 1;               \n\
> > +                     opts.excl_prog_hash = (void *)opts_excl_hash;           \n\
> > +                     opts.excl_prog_hash_sz = sizeof(opts_excl_hash) - 1;    \n\
> > +                     opts.keyring_id = KEY_SPEC_SESSION_KEYRING;             \n\
> > +             ");
>
> And here.
>
> > +     }
> > +
> > +     codegen("\
> > +             \n\
> >                       opts.ctx = (struct bpf_loader_ctx *)skel;           \n\
> >                       opts.data_sz = sizeof(opts_data) - 1;               \n\
> >                       opts.data = (void *)opts_data;                      \n\
> > @@ -1240,7 +1291,7 @@ static int do_skeleton(int argc, char **argv)
> >               err = -errno;
> >               libbpf_strerror(err, err_buf, sizeof(err_buf));
> >               p_err("failed to open BPF object file: %s", err_buf);
> > -             goto out;
> > +             goto out_obj;
> >       }
> >
> >       bpf_object__for_each_map(map, obj) {
> > @@ -1552,6 +1603,7 @@ static int do_skeleton(int argc, char **argv)
> >       err = 0;
> >  out:
> >       bpf_object__close(obj);
> > +out_obj:
> >       if (obj_data)
> >               munmap(obj_data, mmap_sz);
> >       close(fd);
> > @@ -1930,7 +1982,7 @@ static int do_help(int argc, char **argv)
> >               "       %1$s %2$s help\n"
> >               "\n"
> >               "       " HELP_SPEC_OPTIONS " |\n"
> > -             "                    {-L|--use-loader} }\n"
> > +             "                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
> >               "",
> >               bin_name, "gen");
> >
> > diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
> > index 0f1183b2ed0a..c78eb80b9c94 100644
> > --- a/tools/bpf/bpftool/main.c
> > +++ b/tools/bpf/bpftool/main.c
> > @@ -33,6 +33,9 @@ bool relaxed_maps;
> >  bool use_loader;
> >  struct btf *base_btf;
> >  struct hashmap *refs_table;
> > +bool sign_progs;
> > +const char *private_key_path;
> > +const char *cert_path;
> >
> >  static void __noreturn clean_and_exit(int i)
> >  {
> > @@ -448,6 +451,7 @@ int main(int argc, char **argv)
> >               { "nomount",    no_argument,    NULL,   'n' },
> >               { "debug",      no_argument,    NULL,   'd' },
> >               { "use-loader", no_argument,    NULL,   'L' },
> > +             { "sign",       no_argument,    NULL,   'S' },
> >               { "base-btf",   required_argument, NULL, 'B' },
> >               { 0 }
> >       };
> > @@ -474,7 +478,7 @@ int main(int argc, char **argv)
> >       bin_name = "bpftool";
> >
> >       opterr = 0;
> > -     while ((opt = getopt_long(argc, argv, "VhpjfLmndB:l",
> > +     while ((opt = getopt_long(argc, argv, "VhpjfLmndSi:k:B:l",
> >                                 options, NULL)) >= 0) {
> >               switch (opt) {
> >               case 'V':
> > @@ -520,6 +524,16 @@ int main(int argc, char **argv)
> >               case 'L':
> >                       use_loader = true;
> >                       break;
> > +             case 'S':
> > +                     sign_progs = true;
> > +                     use_loader = true;
> > +                     break;
> > +             case 'k':
> > +                     private_key_path = optarg;
> > +                     break;
> > +             case 'i':
> > +                     cert_path = optarg;
> > +                     break;
> >               default:
> >                       p_err("unrecognized option '%s'", argv[optind - 1]);
> >                       if (json_output)
> > @@ -534,6 +548,16 @@ int main(int argc, char **argv)
> >       if (argc < 0)
> >               usage();
> >
> > +     if (sign_progs && (private_key_path == NULL || cert_path == NULL)) {
> > +             p_err("-i <identity_x509_cert> and -k <private> key must be supplied with -S for signing");
> > +             return -EINVAL;
> > +     }
> > +
> > +     if (!sign_progs && (private_key_path != NULL || cert_path != NULL)) {
> > +             p_err("-i <identity_x509_cert> and -k <private> also need --sign to be used for sign programs");
> > +             return -EINVAL;
> > +     }
> > +
> >       if (version_requested)
> >               ret = do_version(argc, argv);
> >       else
> > diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
> > index a2bb0714b3d6..f7f5b39b66c8 100644
> > --- a/tools/bpf/bpftool/main.h
> > +++ b/tools/bpf/bpftool/main.h
> > @@ -6,9 +6,14 @@
> >
> >  /* BFD and kernel.h both define GCC_VERSION, differently */
> >  #undef GCC_VERSION
> > +#ifndef _GNU_SOURCE
> > +#define _GNU_SOURCE
> > +#endif
> >  #include <stdbool.h>
> >  #include <stdio.h>
> > +#include <errno.h>
> >  #include <stdlib.h>
> > +#include <bpf/skel_internal.h>
> >  #include <linux/bpf.h>
> >  #include <linux/compiler.h>
> >  #include <linux/kernel.h>
> > @@ -52,6 +57,7 @@ static inline void *u64_to_ptr(__u64 ptr)
> >       })
> >
> >  #define ERR_MAX_LEN  1024
> > +#define MAX_SIG_SIZE 4096
> >
> >  #define BPF_TAG_FMT  "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
> >
> > @@ -85,6 +91,9 @@ extern bool relaxed_maps;
> >  extern bool use_loader;
> >  extern struct btf *base_btf;
> >  extern struct hashmap *refs_table;
> > +extern bool sign_progs;
> > +extern const char *private_key_path;
> > +extern const char *cert_path;
> >
> >  void __printf(1, 2) p_err(const char *fmt, ...);
> >  void __printf(1, 2) p_info(const char *fmt, ...);
> > @@ -275,4 +284,6 @@ int pathname_concat(char *buf, int buf_sz, const char *path,
> >  /* print netfilter bpf_link info */
> >  void netfilter_dump_plain(const struct bpf_link_info *info);
> >  void netfilter_dump_json(const struct bpf_link_info *info, json_writer_t *wtr);
> > +int bpftool_prog_sign(struct bpf_load_and_run_opts *opts);
> > +__u32 register_session_key(const char *key_der_path);
> >  #endif
> > diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
> > index 9722d841abc0..82b8da084504 100644
> > --- a/tools/bpf/bpftool/prog.c
> > +++ b/tools/bpf/bpftool/prog.c
> > @@ -23,6 +23,7 @@
> >  #include <linux/err.h>
> >  #include <linux/perf_event.h>
> >  #include <linux/sizes.h>
> > +#include <linux/keyctl.h>
> >
> >  #include <bpf/bpf.h>
> >  #include <bpf/btf.h>
> > @@ -1930,6 +1931,8 @@ static int try_loader(struct gen_loader_opts *gen)
> >  {
> >       struct bpf_load_and_run_opts opts = {};
> >       struct bpf_loader_ctx *ctx;
> > +     char sig_buf[MAX_SIG_SIZE];
> > +     __u8 prog_sha[SHA256_DIGEST_LENGTH];
> >       int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
> >                                            sizeof(struct bpf_prog_desc));
> >       int log_buf_sz = (1u << 24) - 1;
> > @@ -1953,6 +1956,24 @@ static int try_loader(struct gen_loader_opts *gen)
> >       opts.insns = gen->insns;
> >       opts.insns_sz = gen->insns_sz;
> >       fds_before = count_open_fds();
> > +
> > +     if (sign_progs) {
> > +             opts.excl_prog_hash = prog_sha;
> > +             opts.excl_prog_hash_sz = sizeof(prog_sha);
> > +             opts.signature = sig_buf;
> > +             opts.signature_sz = MAX_SIG_SIZE;
> > +             opts.keyring_id = KEY_SPEC_SESSION_KEYRING;
> > +
>
> And here as well.

The "load -S" command loads and signs the program in one go, so this
is purely for debugging and not how one would use signing. Session key
is fine here. What we really want is flexibility when using skeletons.

- KP



>
> > +             err = bpftool_prog_sign(&opts);
> > +             if (err < 0)
> > +                     return err;
> > +
> > +             err = register_session_key(cert_path);
> > +             if (err < 0) {
> > +                     p_err("failed to add session key");
> > +                     goto out;
> > +             }
> > +     }
> >       err = bpf_load_and_run(&opts);
> >       fd_delta = count_open_fds() - fds_before;
> >       if (err < 0 || verifier_logs) {
> > @@ -1961,6 +1982,7 @@ static int try_loader(struct gen_loader_opts *gen)
> >                       fprintf(stderr, "loader prog leaked %d FDs\n",
> >                               fd_delta);
> >       }
> > +out:
> >       free(log_buf);
> >       return err;
> >  }
> > @@ -1988,6 +2010,9 @@ static int do_loader(int argc, char **argv)
> >               goto err_close_obj;
> >       }
> >
> > +     if (sign_progs)
> > +             gen.gen_hash = true;
> > +
> >       err = bpf_object__gen_loader(obj, &gen);
> >       if (err)
> >               goto err_close_obj;
> > @@ -2562,7 +2587,7 @@ static int do_help(int argc, char **argv)
> >               "       METRIC := { cycles | instructions | l1d_loads | llc_misses | itlb_misses | dtlb_misses }\n"
> >               "       " HELP_SPEC_OPTIONS " |\n"
> >               "                    {-f|--bpffs} | {-m|--mapcompat} | {-n|--nomount} |\n"
> > -             "                    {-L|--use-loader} }\n"
> > +             "                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ] \n"
> >               "",
> >               bin_name, argv[-2]);
> >
> > diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
> > new file mode 100644
> > index 000000000000..b29d825bb1d4
> > --- /dev/null
> > +++ b/tools/bpf/bpftool/sign.c
> > @@ -0,0 +1,212 @@
> > +// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
> > +/*
> > + * Copyright (C) 2025 Google LLC.
> > + */
> > +
> > +#ifndef _GNU_SOURCE
> > +#define _GNU_SOURCE
> > +#endif
> > +#include <stdio.h>
> > +#include <stdlib.h>
> > +#include <stdint.h>
> > +#include <stdbool.h>
> > +#include <string.h>
> > +#include <string.h>
> > +#include <getopt.h>
> > +#include <err.h>
> > +#include <openssl/opensslv.h>
> > +#include <openssl/bio.h>
> > +#include <openssl/evp.h>
> > +#include <openssl/pem.h>
> > +#include <openssl/err.h>
> > +#include <openssl/cms.h>
> > +#include <linux/keyctl.h>
> > +#include <errno.h>
> > +
> > +#include <bpf/skel_internal.h>
> > +
> > +#include "main.h"
> > +
> > +#define OPEN_SSL_ERR_BUF_LEN 256
> > +
> > +static void display_openssl_errors(int l)
> > +{
> > +     char buf[OPEN_SSL_ERR_BUF_LEN];
> > +     const char *file;
> > +     const char *data;
> > +     unsigned long e;
> > +     int flags;
> > +     int line;
> > +
> > +     while ((e = ERR_get_error_all(&file, &line, NULL, &data, &flags))) {
> > +             ERR_error_string_n(e, buf, sizeof(buf));
> > +             if (data && (flags & ERR_TXT_STRING)) {
> > +                     p_err("OpenSSL %s: %s:%d: %s", buf, file, line, data);
> > +             } else {
> > +                     p_err("OpenSSL %s: %s:%d", buf, file, line);
> > +             }
> > +     }
> > +}
> > +
> > +#define DISPLAY_OSSL_ERR(cond)                                \
> > +     do {                                             \
> > +             bool __cond = (cond);                    \
> > +             if (__cond && ERR_peek_error())          \
> > +                     display_openssl_errors(__LINE__);\
> > +     } while (0)
> > +
> > +static EVP_PKEY *read_private_key(const char *pkey_path)
> > +{
> > +     EVP_PKEY *private_key = NULL;
> > +     BIO *b;
> > +
> > +     b = BIO_new_file(pkey_path, "rb");
> > +     private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
> > +     BIO_free(b);
> > +     DISPLAY_OSSL_ERR(!private_key);
> > +     return private_key;
> > +}
> > +
> > +static X509 *read_x509(const char *x509_name)
> > +{
> > +     unsigned char buf[2];
> > +     X509 *x509 = NULL;
> > +     BIO *b;
> > +     int n;
> > +
> > +     b = BIO_new_file(x509_name, "rb");
> > +     if (!b)
> > +             goto cleanup;
> > +
> > +     /* Look at the first two bytes of the file to determine the encoding */
> > +     n = BIO_read(b, buf, 2);
> > +     if (n != 2)
> > +             goto cleanup;
> > +
> > +     if (BIO_reset(b) != 0)
> > +             goto cleanup;
> > +
> > +     if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
> > +             /* Assume raw DER encoded X.509 */
> > +             x509 = d2i_X509_bio(b, NULL);
> > +     else
> > +             /* Assume PEM encoded X.509 */
> > +             x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
> > +
> > +cleanup:
> > +     BIO_free(b);
> > +     DISPLAY_OSSL_ERR(!x509);
> > +     return x509;
> > +}
> > +
> > +__u32 register_session_key(const char *key_der_path)
> > +{
> > +     unsigned char *der_buf = NULL;
> > +     X509 *x509 = NULL;
> > +     int key_id = -1;
> > +     int der_len;
> > +
> > +     if (!key_der_path)
> > +             return key_id;
> > +     x509 = read_x509(key_der_path);
> > +     if (!x509)
> > +             goto cleanup;
> > +     der_len = i2d_X509(x509, &der_buf);
> > +     if (der_len < 0)
> > +             goto cleanup;
> > +     key_id = syscall(__NR_add_key, "asymmetric", key_der_path, der_buf,
> > +                          (size_t)der_len, KEY_SPEC_SESSION_KEYRING);
> > +cleanup:
> > +     X509_free(x509);
> > +     OPENSSL_free(der_buf);
> > +     DISPLAY_OSSL_ERR(key_id == -1);
> > +     return key_id;
> > +}
> > +
> > +int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
> > +{
> > +     BIO *bd_in = NULL, *bd_out = NULL;
> > +     EVP_PKEY *private_key = NULL;
> > +     CMS_ContentInfo *cms = NULL;
> > +     long actual_sig_len = 0;
> > +     X509 *x509 = NULL;
> > +     int err = 0;
> > +
> > +     bd_in = BIO_new_mem_buf(opts->insns, opts->insns_sz);
> > +     if (!bd_in) {
> > +             err = -ENOMEM;
> > +             goto cleanup;
> > +     }
> > +
> > +     private_key = read_private_key(private_key_path);
> > +     if (!private_key) {
> > +             err = -EINVAL;
> > +             goto cleanup;
> > +     }
> > +
> > +     x509 = read_x509(cert_path);
> > +     if (!x509) {
> > +             err = -EINVAL;
> > +             goto cleanup;
> > +     }
> > +
> > +     cms = CMS_sign(NULL, NULL, NULL, NULL,
> > +                    CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED |
> > +                            CMS_STREAM);
> > +     if (!cms) {
> > +             err = -EINVAL;
> > +             goto cleanup;
> > +     }
> > +
> > +     if (!CMS_add1_signer(cms, x509, private_key, EVP_sha256(),
> > +                          CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
> > +                          CMS_USE_KEYID | CMS_NOATTR)) {
> > +             err = -EINVAL;
> > +             goto cleanup;
> > +     }
> > +
> > +     if (CMS_final(cms, bd_in, NULL, CMS_NOCERTS | CMS_BINARY) != 1) {
> > +             err = -EIO;
> > +             goto cleanup;
> > +     }
> > +
> > +     EVP_Digest(opts->insns, opts->insns_sz, opts->excl_prog_hash,
> > +                &opts->excl_prog_hash_sz, EVP_sha256(), NULL);
> > +
> > +             bd_out = BIO_new(BIO_s_mem());
> > +     if (!bd_out) {
> > +             err = -ENOMEM;
> > +             goto cleanup;
> > +     }
> > +
> > +     if (!i2d_CMS_bio_stream(bd_out, cms, NULL, 0)) {
> > +             err = -EIO;
> > +             goto cleanup;
> > +     }
> > +
> > +     actual_sig_len = BIO_get_mem_data(bd_out, NULL);
> > +     if (actual_sig_len <= 0) {
> > +             err = -EIO;
> > +             goto cleanup;
> > +     }
> > +
> > +     if ((size_t)actual_sig_len > opts->signature_sz) {
> > +             err = -ENOSPC;
> > +             goto cleanup;
> > +     }
> > +
> > +     if (BIO_read(bd_out, opts->signature, actual_sig_len) != actual_sig_len) {
> > +             err = -EIO;
> > +             goto cleanup;
> > +     }
> > +
> > +     opts->signature_sz = actual_sig_len;
> > +cleanup:
> > +     BIO_free(bd_out);
> > +     CMS_ContentInfo_free(cms);
> > +     X509_free(x509);
> > +     EVP_PKEY_free(private_key);
> > +     BIO_free(bd_in);
> > +     DISPLAY_OSSL_ERR(err < 0);
> > +     return err;
> > +}
> > --
> > 2.43.0

Re: [PATCH v3 11/12] bpftool: Add support for signing BPF programs

[Blaise Boscaccy]

KP Singh <kpsingh@kernel.org> writes:

> On Thu, Aug 14, 2025 at 6:51 PM Blaise Boscaccy
> <bboscaccy@linux.microsoft.com> wrote:
>>
>> KP Singh <kpsingh@kernel.org> writes:
>>
>> > Two modes of operation being added:
>> >
>> > Add two modes of operation:
>> >
>> > * For prog load, allow signing a program immediately before loading. This
>> >   is essential for command-line testing and administration.
>> >
>> >       bpftool prog load -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>> >
>> > * For gen skeleton, embed a pre-generated signature into the C skeleton
>> >   file. This supports the use of signed programs in compiled applications.
>> >
>> >       bpftool gen skeleton -S -k <private_key> -i <identity_cert> fentry_test.bpf.o
>> >
>> > Generation of the loader program and its metadata map is implemented in
>> > libbpf (bpf_obj__gen_loader). bpftool generates a skeleton that loads
>> > the program and automates the required steps: freezing the map, creating
>> > an exclusive map, loading, and running. Users can use standard libbpf
>> > APIs directly or integrate loader program generation into their own
>> > toolchains.
>> >
>> > Signed-off-by: KP Singh <kpsingh@kernel.org>
>> > ---
>> >  .../bpf/bpftool/Documentation/bpftool-gen.rst |  16 +-
>> >  .../bpftool/Documentation/bpftool-prog.rst    |  18 +-
>> >  tools/bpf/bpftool/Makefile                    |   6 +-
>> >  tools/bpf/bpftool/cgroup.c                    |   4 +
>> >  tools/bpf/bpftool/gen.c                       |  60 ++++-
>> >  tools/bpf/bpftool/main.c                      |  26 ++-
>> >  tools/bpf/bpftool/main.h                      |  11 +
>> >  tools/bpf/bpftool/prog.c                      |  27 ++-
>> >  tools/bpf/bpftool/sign.c                      | 212 ++++++++++++++++++
>> >  9 files changed, 367 insertions(+), 13 deletions(-)
>> >  create mode 100644 tools/bpf/bpftool/sign.c
>> >
>> > diff --git a/tools/bpf/bpftool/Documentation/bpftool-gen.rst b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>> > index ca860fd97d8d..cef469d758ed 100644
>> > --- a/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>> > +++ b/tools/bpf/bpftool/Documentation/bpftool-gen.rst
>> > @@ -16,7 +16,8 @@ SYNOPSIS
>> >
>> >  **bpftool** [*OPTIONS*] **gen** *COMMAND*
>> >
>> > -*OPTIONS* := { |COMMON_OPTIONS| | { **-L** | **--use-loader** } }
>> > +*OPTIONS* := { |COMMON_OPTIONS| [ { **-L** | **--use-loader** } ]
>> > +[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }}
>> >
>> >  *COMMAND* := { **object** | **skeleton** | **help** }
>> >
>> > @@ -186,6 +187,19 @@ OPTIONS
>> >      skeleton). A light skeleton contains a loader eBPF program. It does not use
>> >      the majority of the libbpf infrastructure, and does not need libelf.
>> >
>> > +-S, --sign
>> > +    For skeletons, generate a signed skeleton. This option must be used with
>> > +    **-k** and **-i**. Using this flag implicitly enables **--use-loader**.
>> > +    See the "Signed Skeletons" section in the description of the
>> > +    **gen skeleton** command for more details.
>> > +
>> > +-k <private_key.pem>
>> > +    Path to the private key file in PEM format, required for signing.
>> > +
>> > +-i <certificate.x509>
>> > +    Path to the X.509 certificate file in PEM or DER format, required for
>> > +    signing.
>> > +
>> >  EXAMPLES
>> >  ========
>> >  **$ cat example1.bpf.c**
>> > diff --git a/tools/bpf/bpftool/Documentation/bpftool-prog.rst b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>> > index f69fd92df8d8..55b812761df2 100644
>> > --- a/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>> > +++ b/tools/bpf/bpftool/Documentation/bpftool-prog.rst
>> > @@ -16,9 +16,9 @@ SYNOPSIS
>> >
>> >  **bpftool** [*OPTIONS*] **prog** *COMMAND*
>> >
>> > -*OPTIONS* := { |COMMON_OPTIONS| |
>> > -{ **-f** | **--bpffs** } | { **-m** | **--mapcompat** } | { **-n** | **--nomount** } |
>> > -{ **-L** | **--use-loader** } }
>> > +*OPTIONS* := { |COMMON_OPTIONS| [ { **-f** | **--bpffs** } ] [ { **-m** | **--mapcompat** } ]
>> > +[ { **-n** | **--nomount** } ] [ { **-L** | **--use-loader** } ]
>> > +[ { { **-S** | **--sign** } **-k** <private_key.pem> **-i** <certificate.x509> } ] }
>> >
>> >  *COMMANDS* :=
>> >  { **show** | **list** | **dump xlated** | **dump jited** | **pin** | **load** |
>> > @@ -248,6 +248,18 @@ OPTIONS
>> >      creating the maps, and loading the programs (see **bpftool prog tracelog**
>> >      as a way to dump those messages).
>> >
>> > +-S, --sign
>> > +    Enable signing of the BPF program before loading. This option must be
>> > +    used with **-k** and **-i**. Using this flag implicitly enables
>> > +    **--use-loader**.
>> > +
>> > +-k <private_key.pem>
>> > +    Path to the private key file in PEM format, required when signing.
>> > +
>> > +-i <certificate.x509>
>> > +    Path to the X.509 certificate file in PEM or DER format, required when
>> > +    signing.
>> > +
>> >  EXAMPLES
>> >  ========
>> >  **# bpftool prog show**
>> > diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
>> > index 9e9a5f006cd2..586d1b2595d1 100644
>> > --- a/tools/bpf/bpftool/Makefile
>> > +++ b/tools/bpf/bpftool/Makefile
>> > @@ -130,8 +130,8 @@ include $(FEATURES_DUMP)
>> >  endif
>> >  endif
>> >
>> > -LIBS = $(LIBBPF) -lelf -lz
>> > -LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz
>> > +LIBS = $(LIBBPF) -lelf -lz -lcrypto
>> > +LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lz -lcrypto
>> >
>> >  ifeq ($(feature-libelf-zstd),1)
>> >  LIBS += -lzstd
>> > @@ -194,7 +194,7 @@ endif
>> >
>> >  BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
>> >
>> > -BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o)
>> > +BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
>> >  $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
>> >
>> >  OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
>> > diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
>> > index 944ebe21a216..ec356deb27c9 100644
>> > --- a/tools/bpf/bpftool/cgroup.c
>> > +++ b/tools/bpf/bpftool/cgroup.c
>> > @@ -2,6 +2,10 @@
>> >  // Copyright (C) 2017 Facebook
>> >  // Author: Roman Gushchin <guro@fb.com>
>> >
>> > +#undef GCC_VERSION
>> > +#ifndef _GNU_SOURCE
>> > +#define _GNU_SOURCE
>> > +#endif
>> >  #define _XOPEN_SOURCE 500
>> >  #include <errno.h>
>> >  #include <fcntl.h>
>> > diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
>> > index 67a60114368f..427468c9e9c2 100644
>> > --- a/tools/bpf/bpftool/gen.c
>> > +++ b/tools/bpf/bpftool/gen.c
>> > @@ -688,10 +688,17 @@ static void codegen_destroy(struct bpf_object *obj, const char *obj_name)
>> >  static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *header_guard)
>> >  {
>> >       DECLARE_LIBBPF_OPTS(gen_loader_opts, opts);
>> > +     struct bpf_load_and_run_opts sopts = {};
>> > +     char sig_buf[MAX_SIG_SIZE];
>> > +     __u8 prog_sha[SHA256_DIGEST_LENGTH];
>> >       struct bpf_map *map;
>> > +
>> >       char ident[256];
>> >       int err = 0;
>> >
>> > +     if (sign_progs)
>> > +             opts.gen_hash = true;
>> > +
>> >       err = bpf_object__gen_loader(obj, &opts);
>> >       if (err)
>> >               return err;
>> > @@ -701,6 +708,7 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
>> >               p_err("failed to load object file");
>> >               goto out;
>> >       }
>> > +
>> >       /* If there was no error during load then gen_loader_opts
>> >        * are populated with the loader program.
>> >        */
>> > @@ -780,8 +788,51 @@ static int gen_trace(struct bpf_object *obj, const char *obj_name, const char *h
>> >       print_hex(opts.insns, opts.insns_sz);
>> >       codegen("\
>> >               \n\
>> > -             \";                                                         \n\
>> > -                                                                         \n\
>> > +             \";\n");
>> > +
>> > +     if (sign_progs) {
>> > +             sopts.insns = opts.insns;
>> > +             sopts.insns_sz = opts.insns_sz;
>> > +             sopts.excl_prog_hash = prog_sha;
>> > +             sopts.excl_prog_hash_sz = sizeof(prog_sha);
>> > +             sopts.signature = sig_buf;
>> > +             sopts.signature_sz = MAX_SIG_SIZE;
>> > +             sopts.keyring_id = KEY_SPEC_SESSION_KEYRING;
>> > +
>>
>> This still has the session keyring hardcoded.
>
> We can do this for now:
>
> diff --git a/tools/bpf/bpftool/gen.c b/tools/bpf/bpftool/gen.c
> index 427468c9e9c2..694e61f1909e 100644
> --- a/tools/bpf/bpftool/gen.c
> +++ b/tools/bpf/bpftool/gen.c
> @@ -797,7 +797,6 @@ static int gen_trace(struct bpf_object *obj, const
> char *obj_name, const char *h
>                 sopts.excl_prog_hash_sz = sizeof(prog_sha);
>                 sopts.signature = sig_buf;
>                 sopts.signature_sz = MAX_SIG_SIZE;
> -               sopts.keyring_id = KEY_SPEC_SESSION_KEYRING;
>
>                 err = bpftool_prog_sign(&sopts);
>                 if (err < 0)
> @@ -827,7 +826,7 @@ static int gen_trace(struct bpf_object *obj, const
> char *obj_name, const char *h
>                         opts.signature_sz = sizeof(opts_sig) - 1;
>          \n\
>                         opts.excl_prog_hash = (void *)opts_excl_hash;
>          \n\
>                         opts.excl_prog_hash_sz =
> sizeof(opts_excl_hash) - 1;    \n\
> -                       opts.keyring_id = KEY_SPEC_SESSION_KEYRING;
>          \n\
> +                       opts.keyring_id = skel->keyring_id;
>          \n\
>                 ");
>         }
>
> @@ -1406,6 +1405,13 @@ static int do_skeleton(int argc, char **argv)
>                 printf("\t} links;\n");
>         }
>
> +       if (sign_progs) {
> +               codegen("\
> +               \n\
> +                       __s32 keyring_id;                                  \n\
> +               ");
> +       }
> +
>         if (btf) {
>                 err = codegen_datasecs(obj, obj_name);
>                 if (err)
> diff --git a/tools/testing/selftests/bpf/prog_tests/atomics.c
> b/tools/testing/selftests/bpf/prog_tests/atomics.c
> index 13e101f370a1..92b5f378bfb8 100644
> --- a/tools/testing/selftests/bpf/prog_tests/atomics.c
> +++ b/tools/testing/selftests/bpf/prog_tests/atomics.c
> @@ -165,11 +165,17 @@ static void test_xchg(struct atomics_lskel *skel)
>  void test_atomics(void)
>  {
>         struct atomics_lskel *skel;
> +       int err;
>
> -       skel = atomics_lskel__open_and_load();
> -       if (!ASSERT_OK_PTR(skel, "atomics skeleton load"))
> +       skel = atomics_lskel__open();
> +       if (!ASSERT_OK_PTR(skel, "atomics skeleton open"))
>                 return;
>
> +       skel->keyring_id = KEY_SPEC_SESSION_KEYRING;
> +       err = atomics_lskel__load(skel);
> +       if (!ASSERT_OK(err, "atomics skeleton load"))
> +               goto cleanup;
> +
>         if (skel->data->skip_tests) {
>                 printf("%s:SKIP:no ENABLE_ATOMICS_TESTS (missing Clang
> BPF atomics support)",
>                        __func__);
> - KP
>

That should work. 

>>
>> > +             err = bpftool_prog_sign(&sopts);
>> > +             if (err < 0)
>> > +                     return err;
>> > +
>> > +             codegen("\
>> > +             \n\
>> > +                     static const char opts_sig[] __attribute__((__aligned__(8))) = \"\\\n\
>> > +             ");
>> > +             print_hex((const void *)sig_buf, sopts.signature_sz);
>> > +             codegen("\
>> > +             \n\
>> > +             \";\n");
>> > +
>> > +             codegen("\
>> > +             \n\
>> > +                     static const char opts_excl_hash[] __attribute__((__aligned__(8))) = \"\\\n\
>> > +             ");
>> > +             print_hex((const void *)prog_sha, sizeof(prog_sha));
>> > +             codegen("\
>> > +             \n\
>> > +             \";\n");
>> > +
>> > +             codegen("\
>> > +             \n\
>> > +                     opts.signature = (void *)opts_sig;                      \n\
>> > +                     opts.signature_sz = sizeof(opts_sig) - 1;               \n\
>> > +                     opts.excl_prog_hash = (void *)opts_excl_hash;           \n\
>> > +                     opts.excl_prog_hash_sz = sizeof(opts_excl_hash) - 1;    \n\
>> > +                     opts.keyring_id = KEY_SPEC_SESSION_KEYRING;             \n\
>> > +             ");
>>
>> And here.
>>
>> > +     }
>> > +
>> > +     codegen("\
>> > +             \n\
>> >                       opts.ctx = (struct bpf_loader_ctx *)skel;           \n\
>> >                       opts.data_sz = sizeof(opts_data) - 1;               \n\
>> >                       opts.data = (void *)opts_data;                      \n\
>> > @@ -1240,7 +1291,7 @@ static int do_skeleton(int argc, char **argv)
>> >               err = -errno;
>> >               libbpf_strerror(err, err_buf, sizeof(err_buf));
>> >               p_err("failed to open BPF object file: %s", err_buf);
>> > -             goto out;
>> > +             goto out_obj;
>> >       }
>> >
>> >       bpf_object__for_each_map(map, obj) {
>> > @@ -1552,6 +1603,7 @@ static int do_skeleton(int argc, char **argv)
>> >       err = 0;
>> >  out:
>> >       bpf_object__close(obj);
>> > +out_obj:
>> >       if (obj_data)
>> >               munmap(obj_data, mmap_sz);
>> >       close(fd);
>> > @@ -1930,7 +1982,7 @@ static int do_help(int argc, char **argv)
>> >               "       %1$s %2$s help\n"
>> >               "\n"
>> >               "       " HELP_SPEC_OPTIONS " |\n"
>> > -             "                    {-L|--use-loader} }\n"
>> > +             "                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ]}\n"
>> >               "",
>> >               bin_name, "gen");
>> >
>> > diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
>> > index 0f1183b2ed0a..c78eb80b9c94 100644
>> > --- a/tools/bpf/bpftool/main.c
>> > +++ b/tools/bpf/bpftool/main.c
>> > @@ -33,6 +33,9 @@ bool relaxed_maps;
>> >  bool use_loader;
>> >  struct btf *base_btf;
>> >  struct hashmap *refs_table;
>> > +bool sign_progs;
>> > +const char *private_key_path;
>> > +const char *cert_path;
>> >
>> >  static void __noreturn clean_and_exit(int i)
>> >  {
>> > @@ -448,6 +451,7 @@ int main(int argc, char **argv)
>> >               { "nomount",    no_argument,    NULL,   'n' },
>> >               { "debug",      no_argument,    NULL,   'd' },
>> >               { "use-loader", no_argument,    NULL,   'L' },
>> > +             { "sign",       no_argument,    NULL,   'S' },
>> >               { "base-btf",   required_argument, NULL, 'B' },
>> >               { 0 }
>> >       };
>> > @@ -474,7 +478,7 @@ int main(int argc, char **argv)
>> >       bin_name = "bpftool";
>> >
>> >       opterr = 0;
>> > -     while ((opt = getopt_long(argc, argv, "VhpjfLmndB:l",
>> > +     while ((opt = getopt_long(argc, argv, "VhpjfLmndSi:k:B:l",
>> >                                 options, NULL)) >= 0) {
>> >               switch (opt) {
>> >               case 'V':
>> > @@ -520,6 +524,16 @@ int main(int argc, char **argv)
>> >               case 'L':
>> >                       use_loader = true;
>> >                       break;
>> > +             case 'S':
>> > +                     sign_progs = true;
>> > +                     use_loader = true;
>> > +                     break;
>> > +             case 'k':
>> > +                     private_key_path = optarg;
>> > +                     break;
>> > +             case 'i':
>> > +                     cert_path = optarg;
>> > +                     break;
>> >               default:
>> >                       p_err("unrecognized option '%s'", argv[optind - 1]);
>> >                       if (json_output)
>> > @@ -534,6 +548,16 @@ int main(int argc, char **argv)
>> >       if (argc < 0)
>> >               usage();
>> >
>> > +     if (sign_progs && (private_key_path == NULL || cert_path == NULL)) {
>> > +             p_err("-i <identity_x509_cert> and -k <private> key must be supplied with -S for signing");
>> > +             return -EINVAL;
>> > +     }
>> > +
>> > +     if (!sign_progs && (private_key_path != NULL || cert_path != NULL)) {
>> > +             p_err("-i <identity_x509_cert> and -k <private> also need --sign to be used for sign programs");
>> > +             return -EINVAL;
>> > +     }
>> > +
>> >       if (version_requested)
>> >               ret = do_version(argc, argv);
>> >       else
>> > diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
>> > index a2bb0714b3d6..f7f5b39b66c8 100644
>> > --- a/tools/bpf/bpftool/main.h
>> > +++ b/tools/bpf/bpftool/main.h
>> > @@ -6,9 +6,14 @@
>> >
>> >  /* BFD and kernel.h both define GCC_VERSION, differently */
>> >  #undef GCC_VERSION
>> > +#ifndef _GNU_SOURCE
>> > +#define _GNU_SOURCE
>> > +#endif
>> >  #include <stdbool.h>
>> >  #include <stdio.h>
>> > +#include <errno.h>
>> >  #include <stdlib.h>
>> > +#include <bpf/skel_internal.h>
>> >  #include <linux/bpf.h>
>> >  #include <linux/compiler.h>
>> >  #include <linux/kernel.h>
>> > @@ -52,6 +57,7 @@ static inline void *u64_to_ptr(__u64 ptr)
>> >       })
>> >
>> >  #define ERR_MAX_LEN  1024
>> > +#define MAX_SIG_SIZE 4096
>> >
>> >  #define BPF_TAG_FMT  "%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx%02hhx"
>> >
>> > @@ -85,6 +91,9 @@ extern bool relaxed_maps;
>> >  extern bool use_loader;
>> >  extern struct btf *base_btf;
>> >  extern struct hashmap *refs_table;
>> > +extern bool sign_progs;
>> > +extern const char *private_key_path;
>> > +extern const char *cert_path;
>> >
>> >  void __printf(1, 2) p_err(const char *fmt, ...);
>> >  void __printf(1, 2) p_info(const char *fmt, ...);
>> > @@ -275,4 +284,6 @@ int pathname_concat(char *buf, int buf_sz, const char *path,
>> >  /* print netfilter bpf_link info */
>> >  void netfilter_dump_plain(const struct bpf_link_info *info);
>> >  void netfilter_dump_json(const struct bpf_link_info *info, json_writer_t *wtr);
>> > +int bpftool_prog_sign(struct bpf_load_and_run_opts *opts);
>> > +__u32 register_session_key(const char *key_der_path);
>> >  #endif
>> > diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
>> > index 9722d841abc0..82b8da084504 100644
>> > --- a/tools/bpf/bpftool/prog.c
>> > +++ b/tools/bpf/bpftool/prog.c
>> > @@ -23,6 +23,7 @@
>> >  #include <linux/err.h>
>> >  #include <linux/perf_event.h>
>> >  #include <linux/sizes.h>
>> > +#include <linux/keyctl.h>
>> >
>> >  #include <bpf/bpf.h>
>> >  #include <bpf/btf.h>
>> > @@ -1930,6 +1931,8 @@ static int try_loader(struct gen_loader_opts *gen)
>> >  {
>> >       struct bpf_load_and_run_opts opts = {};
>> >       struct bpf_loader_ctx *ctx;
>> > +     char sig_buf[MAX_SIG_SIZE];
>> > +     __u8 prog_sha[SHA256_DIGEST_LENGTH];
>> >       int ctx_sz = sizeof(*ctx) + 64 * max(sizeof(struct bpf_map_desc),
>> >                                            sizeof(struct bpf_prog_desc));
>> >       int log_buf_sz = (1u << 24) - 1;
>> > @@ -1953,6 +1956,24 @@ static int try_loader(struct gen_loader_opts *gen)
>> >       opts.insns = gen->insns;
>> >       opts.insns_sz = gen->insns_sz;
>> >       fds_before = count_open_fds();
>> > +
>> > +     if (sign_progs) {
>> > +             opts.excl_prog_hash = prog_sha;
>> > +             opts.excl_prog_hash_sz = sizeof(prog_sha);
>> > +             opts.signature = sig_buf;
>> > +             opts.signature_sz = MAX_SIG_SIZE;
>> > +             opts.keyring_id = KEY_SPEC_SESSION_KEYRING;
>> > +
>>
>> And here as well.
>
> The "load -S" command loads and signs the program in one go, so this
> is purely for debugging and not how one would use signing. Session key
> is fine here. What we really want is flexibility when using skeletons.
>
> - KP
>
>
>
>>
>> > +             err = bpftool_prog_sign(&opts);
>> > +             if (err < 0)
>> > +                     return err;
>> > +
>> > +             err = register_session_key(cert_path);
>> > +             if (err < 0) {
>> > +                     p_err("failed to add session key");
>> > +                     goto out;
>> > +             }
>> > +     }
>> >       err = bpf_load_and_run(&opts);
>> >       fd_delta = count_open_fds() - fds_before;
>> >       if (err < 0 || verifier_logs) {
>> > @@ -1961,6 +1982,7 @@ static int try_loader(struct gen_loader_opts *gen)
>> >                       fprintf(stderr, "loader prog leaked %d FDs\n",
>> >                               fd_delta);
>> >       }
>> > +out:
>> >       free(log_buf);
>> >       return err;
>> >  }
>> > @@ -1988,6 +2010,9 @@ static int do_loader(int argc, char **argv)
>> >               goto err_close_obj;
>> >       }
>> >
>> > +     if (sign_progs)
>> > +             gen.gen_hash = true;
>> > +
>> >       err = bpf_object__gen_loader(obj, &gen);
>> >       if (err)
>> >               goto err_close_obj;
>> > @@ -2562,7 +2587,7 @@ static int do_help(int argc, char **argv)
>> >               "       METRIC := { cycles | instructions | l1d_loads | llc_misses | itlb_misses | dtlb_misses }\n"
>> >               "       " HELP_SPEC_OPTIONS " |\n"
>> >               "                    {-f|--bpffs} | {-m|--mapcompat} | {-n|--nomount} |\n"
>> > -             "                    {-L|--use-loader} }\n"
>> > +             "                    {-L|--use-loader} | [ {-S|--sign } {-k} <private_key.pem> {-i} <certificate.x509> ] \n"
>> >               "",
>> >               bin_name, argv[-2]);
>> >
>> > diff --git a/tools/bpf/bpftool/sign.c b/tools/bpf/bpftool/sign.c
>> > new file mode 100644
>> > index 000000000000..b29d825bb1d4
>> > --- /dev/null
>> > +++ b/tools/bpf/bpftool/sign.c
>> > @@ -0,0 +1,212 @@
>> > +// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
>> > +/*
>> > + * Copyright (C) 2025 Google LLC.
>> > + */
>> > +
>> > +#ifndef _GNU_SOURCE
>> > +#define _GNU_SOURCE
>> > +#endif
>> > +#include <stdio.h>
>> > +#include <stdlib.h>
>> > +#include <stdint.h>
>> > +#include <stdbool.h>
>> > +#include <string.h>
>> > +#include <string.h>
>> > +#include <getopt.h>
>> > +#include <err.h>
>> > +#include <openssl/opensslv.h>
>> > +#include <openssl/bio.h>
>> > +#include <openssl/evp.h>
>> > +#include <openssl/pem.h>
>> > +#include <openssl/err.h>
>> > +#include <openssl/cms.h>
>> > +#include <linux/keyctl.h>
>> > +#include <errno.h>
>> > +
>> > +#include <bpf/skel_internal.h>
>> > +
>> > +#include "main.h"
>> > +
>> > +#define OPEN_SSL_ERR_BUF_LEN 256
>> > +
>> > +static void display_openssl_errors(int l)
>> > +{
>> > +     char buf[OPEN_SSL_ERR_BUF_LEN];
>> > +     const char *file;
>> > +     const char *data;
>> > +     unsigned long e;
>> > +     int flags;
>> > +     int line;
>> > +
>> > +     while ((e = ERR_get_error_all(&file, &line, NULL, &data, &flags))) {
>> > +             ERR_error_string_n(e, buf, sizeof(buf));
>> > +             if (data && (flags & ERR_TXT_STRING)) {
>> > +                     p_err("OpenSSL %s: %s:%d: %s", buf, file, line, data);
>> > +             } else {
>> > +                     p_err("OpenSSL %s: %s:%d", buf, file, line);
>> > +             }
>> > +     }
>> > +}
>> > +
>> > +#define DISPLAY_OSSL_ERR(cond)                                \
>> > +     do {                                             \
>> > +             bool __cond = (cond);                    \
>> > +             if (__cond && ERR_peek_error())          \
>> > +                     display_openssl_errors(__LINE__);\
>> > +     } while (0)
>> > +
>> > +static EVP_PKEY *read_private_key(const char *pkey_path)
>> > +{
>> > +     EVP_PKEY *private_key = NULL;
>> > +     BIO *b;
>> > +
>> > +     b = BIO_new_file(pkey_path, "rb");
>> > +     private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
>> > +     BIO_free(b);
>> > +     DISPLAY_OSSL_ERR(!private_key);
>> > +     return private_key;
>> > +}
>> > +
>> > +static X509 *read_x509(const char *x509_name)
>> > +{
>> > +     unsigned char buf[2];
>> > +     X509 *x509 = NULL;
>> > +     BIO *b;
>> > +     int n;
>> > +
>> > +     b = BIO_new_file(x509_name, "rb");
>> > +     if (!b)
>> > +             goto cleanup;
>> > +
>> > +     /* Look at the first two bytes of the file to determine the encoding */
>> > +     n = BIO_read(b, buf, 2);
>> > +     if (n != 2)
>> > +             goto cleanup;
>> > +
>> > +     if (BIO_reset(b) != 0)
>> > +             goto cleanup;
>> > +
>> > +     if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
>> > +             /* Assume raw DER encoded X.509 */
>> > +             x509 = d2i_X509_bio(b, NULL);
>> > +     else
>> > +             /* Assume PEM encoded X.509 */
>> > +             x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
>> > +
>> > +cleanup:
>> > +     BIO_free(b);
>> > +     DISPLAY_OSSL_ERR(!x509);
>> > +     return x509;
>> > +}
>> > +
>> > +__u32 register_session_key(const char *key_der_path)
>> > +{
>> > +     unsigned char *der_buf = NULL;
>> > +     X509 *x509 = NULL;
>> > +     int key_id = -1;
>> > +     int der_len;
>> > +
>> > +     if (!key_der_path)
>> > +             return key_id;
>> > +     x509 = read_x509(key_der_path);
>> > +     if (!x509)
>> > +             goto cleanup;
>> > +     der_len = i2d_X509(x509, &der_buf);
>> > +     if (der_len < 0)
>> > +             goto cleanup;
>> > +     key_id = syscall(__NR_add_key, "asymmetric", key_der_path, der_buf,
>> > +                          (size_t)der_len, KEY_SPEC_SESSION_KEYRING);
>> > +cleanup:
>> > +     X509_free(x509);
>> > +     OPENSSL_free(der_buf);
>> > +     DISPLAY_OSSL_ERR(key_id == -1);
>> > +     return key_id;
>> > +}
>> > +
>> > +int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
>> > +{
>> > +     BIO *bd_in = NULL, *bd_out = NULL;
>> > +     EVP_PKEY *private_key = NULL;
>> > +     CMS_ContentInfo *cms = NULL;
>> > +     long actual_sig_len = 0;
>> > +     X509 *x509 = NULL;
>> > +     int err = 0;
>> > +
>> > +     bd_in = BIO_new_mem_buf(opts->insns, opts->insns_sz);
>> > +     if (!bd_in) {
>> > +             err = -ENOMEM;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     private_key = read_private_key(private_key_path);
>> > +     if (!private_key) {
>> > +             err = -EINVAL;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     x509 = read_x509(cert_path);
>> > +     if (!x509) {
>> > +             err = -EINVAL;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     cms = CMS_sign(NULL, NULL, NULL, NULL,
>> > +                    CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED |
>> > +                            CMS_STREAM);
>> > +     if (!cms) {
>> > +             err = -EINVAL;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     if (!CMS_add1_signer(cms, x509, private_key, EVP_sha256(),
>> > +                          CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
>> > +                          CMS_USE_KEYID | CMS_NOATTR)) {
>> > +             err = -EINVAL;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     if (CMS_final(cms, bd_in, NULL, CMS_NOCERTS | CMS_BINARY) != 1) {
>> > +             err = -EIO;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     EVP_Digest(opts->insns, opts->insns_sz, opts->excl_prog_hash,
>> > +                &opts->excl_prog_hash_sz, EVP_sha256(), NULL);
>> > +
>> > +             bd_out = BIO_new(BIO_s_mem());
>> > +     if (!bd_out) {
>> > +             err = -ENOMEM;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     if (!i2d_CMS_bio_stream(bd_out, cms, NULL, 0)) {
>> > +             err = -EIO;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     actual_sig_len = BIO_get_mem_data(bd_out, NULL);
>> > +     if (actual_sig_len <= 0) {
>> > +             err = -EIO;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     if ((size_t)actual_sig_len > opts->signature_sz) {
>> > +             err = -ENOSPC;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     if (BIO_read(bd_out, opts->signature, actual_sig_len) != actual_sig_len) {
>> > +             err = -EIO;
>> > +             goto cleanup;
>> > +     }
>> > +
>> > +     opts->signature_sz = actual_sig_len;
>> > +cleanup:
>> > +     BIO_free(bd_out);
>> > +     CMS_ContentInfo_free(cms);
>> > +     X509_free(x509);
>> > +     EVP_PKEY_free(private_key);
>> > +     BIO_free(bd_in);
>> > +     DISPLAY_OSSL_ERR(err < 0);
>> > +     return err;
>> > +}
>> > --
>> > 2.43.0

Re: [PATCH v3 08/12] bpf: Implement signature verification for BPF programs

[Paul Moore]

On Wed, Aug 13, 2025 at 6:17 PM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Aug 13, 2025 at 5:37 PM KP Singh <kpsingh@kernel.org> wrote:
> > On Wed, Aug 13, 2025 at 11:02 PM Paul Moore <paul@paul-moore.com> wrote:
> > >
> > > It's nice to see a v3 revision, but it would be good to see some
> > > comments on Blaise's reply to your v2 revision.  From what I can see
> > > it should enable the different use cases and requirements that have
> > > been posted.
> >
> > I will defer to Alexei and others here (mostly due to time crunch). It
> > would however be useful to explain the use-cases in which signed maps
> > are useful (beyond being a different approach than the current
> > delegated verification).

I wanted to bring this up again as it has been another week with no
comment from the BPF side of the house regarding Blaise's additions.
As a reminder, Blaise's patch can be found here:

https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@microsoft.com

> The use cases and requirements have been described quite a bit in
> previous threads already, with both you and Alexei participating in
> those discussions.  If you really can't find the threads on lore let
> me know and I'll be happy to send you links to all of the various
> threads from the past several months.
>
> However, if I had to point to a single email that I felt best
> summarized my requirements, I think it might be this:
>
> <<< QUOTE >>>
> The loader (+ implicit loader verification of maps w/original program)
> signature verification scheme has been requested by Alexei/KP, and
> that's fine, the code is trivial and if the user/admin is satisfied
> with that as a solution, great.  However, the loader + map signature
> verification scheme has some advantages and helps satisfy some
> requirements that are not satisfied by only verifying the loader and
> relying on the loader to verify the original program stored in the
> maps.  One obvious advantage is that the lskel loader is much simpler
> in this case as it doesn't need to worry about verification of the
> program maps as that has already been done in bpf_check_signature().
> I'm sure there are probably some other obvious reasons, but beyond the
> one mentioned above, the other advantages that I'm interested in are a
> little less obvious, or at least I haven't seen them brought up yet.
> As I mentioned in an earlier thread, it's important to have the LSM
> hook that handles authorization of a BPF program load *after* the BPF
> program's signature has been verified.  This is not simply because the
> LSM implementation might want to enforce and access control on a BPF
> program load due to the signature state (signature verified vs no
> signature), but also because the LSM might want to measure system
> state and/or provide a record of the operation.  If we only verify the
> lskel loader, at the point in time that the security_bpf_prog_load()
> hook is called, we haven't properly verified both the loader and the
> original BPF program stored in the map, that doesn't happen until much
> later when the lskel loader executes.  Yes, I understand that may
> sound very pedantic and fussy, but there are users who care very much
> about those details, and if they see an event in the logs that
> indicates that the BPF program signature has been verified as "good",
> they need that log event to be fully, 100% true, and not have an
> asterix of "only the lskel loader has been verified, the original BPF
> program will potentially be verified later without any additional
> events being logged to indicate the verification".
> <<< /QUOTE >>>
>
> The above was taken from this on-list email:
> https://lore.kernel.org/linux-security-module/CAHC9VhQT=ymqssa9ymXtvssHTdVH_64T8Mpb0Mh8oxRD0Guo_Q@mail.gmail.com/

-- 
paul-moore.com

Re: [PATCH v3 08/12] bpf: Implement signature verification for BPF programs

[Paul Moore]

On Tue, Aug 19, 2025 at 3:19 PM Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Aug 13, 2025 at 6:17 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Wed, Aug 13, 2025 at 5:37 PM KP Singh <kpsingh@kernel.org> wrote:
> > > On Wed, Aug 13, 2025 at 11:02 PM Paul Moore <paul@paul-moore.com> wrote:
> > > >
> > > > It's nice to see a v3 revision, but it would be good to see some
> > > > comments on Blaise's reply to your v2 revision.  From what I can see
> > > > it should enable the different use cases and requirements that have
> > > > been posted.
> > >
> > > I will defer to Alexei and others here (mostly due to time crunch). It
> > > would however be useful to explain the use-cases in which signed maps
> > > are useful (beyond being a different approach than the current
> > > delegated verification).
>
> I wanted to bring this up again as it has been another week with no
> comment from the BPF side of the house regarding Blaise's additions.
> As a reminder, Blaise's patch can be found here:
>
> https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@microsoft.com

Another gentle ping.  I realize everyone is busy, and August is a
popular month for holidays, but it has been a month since Blaise
posted his patch/snippet; it would be nice to get some feedback on the
basic idea.

https://lore.kernel.org/linux-security-module/87sei58vy3.fsf@microsoft.com

-- 
paul-moore.com